Threat Explorer

The Threat Explorer is a comprehensive resource consumers can turn to for daily, accurate, up-to-date information on the latest threats, risks and vulnerabilities.

Dialer.OneOnOne

Dialer.OneOnOne

Updated:
13 February 2007
Risk Impact:
High
File Names:
1on1.exe; Hot_Kiss.exe; Adult_Chat.exe; Ce_XXX.exe; [RANDOM FILE NAME]
Systems Affected:
Windows

Behavior


Dialer.OneOnOne is a dialer program that provides access to various Web sites by dialing a high-cost phone number using the modem.

Symptoms


The files on the system are detected as Dialer.OneOnOne.

Behavior


The most common installation method of this dialer application is through various Web sites, mainly pornographic.

Antivirus Protection Dates

  • Initial Rapid Release version 02 October 2014 revision 022
  • Latest Rapid Release version 07 May 2019 revision 006
  • Initial Daily Certified version 25 November 2003 revision 003
  • Latest Daily Certified version 07 May 2019 revision 008
  • Initial Weekly Certified release date 26 November 2003
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

When Dialer.OneOnOne is executed, it performs the following actions:
  1. Copies itself into %Windir%\[RANDOM FILE NAME].exe. where [RANDOM FILE NAME] has been reported as:

    • %Windir%\Hot_Kiss.exe
    • %Windir%\Adult_Chat.exe
    • %Windir%\Ce_XXX.exe

      Note: %Windir% is a variable. The dialer locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location.

  2. Drops a file into %Windir%\[FILE NAME]_pw.ini where [RANDOM FILE NAME] has been reported as:

    • %Windir%\Hot_Kiss_pw.ini
    • %Windir%\Adult_Chat_pw.ini
    • %Windir%\Ce_XXX_pw.ini
    • %Windir%\pcconfig.dat

  3. Creates a shortcut on the Windows desktop to the above executable and adds itself to the Start menu. File names have been reported to include the following:

    • %UserProfile%\Desktop\Hot_Kiss.lnk
    • %UserProfile%\Start Menu\Hot_Kiss.lnk
    • %UserProfile%\Desktop\Adult_Chat.lnk
    • %UserProfile%\Start Menu\Adult_Chat.lnk
    • %UserProfile%\Desktop\Ce_XXX.lnk
    • %UserProfile%\Start Menu\Ce_XXX.lnk

      Note: %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[Current User] (Windows NT/2000/XP).

  4. Adds the value:

    "[FILE NAME]" = " %Windir%\[FILE NAME].exe -n"

    to the registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

  5. Adds the value:

    "XXXDIAL" = ""

    to the registry key:

    HKEY_ALL_USERS\RemoteAccess\Addresses

  6. May add the following registry subkey:

    HKEY_ALL_USERS\Software\RemoteAccess\Profile\XXXDIAL

  7. Modifies the default home page in Internet Explorer.

  8. Adds a new RAS phonebook entry named "XXXDial" or "XXXSERVER".



The following instructions pertain to all Symantec antivirus products that support Security Risk detection.
  1. Update the definitions.
  2. Close modem connections
  3. Restart the computer in Safe mode.
  4. Run a full system scan and delete all the files detected as Dialer.OneOnOne.
  5. Delete any values added to the registry
  6. Restore the Internet Explorer home page.
  7. Delete the entry that was added to the RAS phone-book file.
  8. Delete files created by the risk.
For specific details on each of these steps, read the following instructions.

1. To update the definitions
To obtain the most recent definitions, start your Symantec program and run LiveUpdate.

2. To close modem connections
This risk uses available modems to create an Internet connection, sometimes without any visible signs. In order to successfully remove this threat, ensure that all modem-based Internet connections are disconnected before proceeding. For instructions on how to do this, consult the appropriate Internet service provider, computer manufacturer, or operating system documentation.

3. To restart the computer in Safe mode
Shut down the computer and turn off the power. Wait for at least 30 seconds, and then restart the computer in Safe mode. For instructions, read the document, "How to start the computer in Safe Mode ."

4. To scan for and delete the files
  1. Start your Symantec antivirus program, and then run a full system scan.
  2. Run a full system scan.
  3. If any files are detected as Dialer.OneOnOne, first write down the full path and file name. Then click Delete.
  4. Do one of the following:
    • If your Symantec antivirus program reports that it was able to delete the file, skip to section 4.
    • If your Symantec antivirus program reports that it could not delete the file, proceed with step e.
  5. Do one of the following:
    • If the file was detected in the folder:

      C:\Documents and Settings\<name>\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file

      follow these steps:
      • Click the Start button > Settings > Control Panel (Windows 98/Me/2000).

        or:

        Click the Start button > Control Panel (Windows XP).
      • Double-click Java Plug-in Control Panel.
      • On the Cache Tab, click the Clear button. This clears the cache folder.

5. Delete any values added to the registry
Important: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified subkeys only. Read the document: How to make a backup of the Windows registry .
  1. Click Start > Run.
  2. Type regedit

    Then click OK. (The Registry Editor opens.)

  3. Navigate to the key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

  4. In the right pane, delete the value:

    "[FILE NAME]" = " %Windir%\[FILE NAME].exe -n"

  5. Navigate to the key:

    HKEY_ALL_USERS\RemoteAccess\Addresses

  6. In the right pane, delete the value:

    "XXXDIAL" = ""

  7. Navigate to and delete the following subkey if it exists:

    HKEY_ALL_USERS\Software\RemoteAccess\Profile\XXXDIAL

  8. Exit the registry Editor.

6. To restore the Internet Explorer home page
  1. Start Internet Explorer.
  2. Connect to the Internet and go to the Web page that you would like to set as your home page.
  3. Click Tools, and then click Internet Options.
  4. In the Home page section of the General tab, click Use Current, and then click OK.

7. To delete the added entry from the RAS phone-book file

Note:
The location of the RAS phone-book file, rasphone.pbk, may vary and some computers may not have this file.

For example, if the file exists in Windows XP, it is usually located in the C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk folder.

Follow the instructions for your operating system:
  • Windows 95/98/Me/NT/2000
    1. Click Start, point to Find or Search, and then click Files or Folders.
    2. Make sure that "Look in" is set to (C:) and that "Include subfolders" is checked.
    3. In the "Named" or "Search for..." box, type:

      rasphone.pbk

    4. Click Find Now or Search Now.
    5. If you find rasphone.pbk, right-click the file, and then click Open With.
    6. Deselect the Always use this program to open this program check box.
    7. Scroll through the list of programs and double-click Notepad.
    8. When the file opens, delete all the lines that are included in the section:

      [XXXDial] or [XXXSERVER]

    9. Close Notepad and save your changes when prompted.

  • Windows XP
    1. Click Start, and then click Search.
    2. Click All files and folders.
    3. In the "All or part of the file name" box, type:

      rasphone.pbk

    4. Verify that "Look in" is set to "Local Hard Drives" or to (C:).
    5. Click More advanced options.
    6. Check Search system folders.
    7. Check Search subfolders.
    8. Click Search.
    9. If you find rasphone.pbk file, right-click the file, and then click Open With.
    10. Deselect the Always use this program to open this program check box.
    11. Scroll through the list of programs and double-click Notepad.
    12. When the file opens, delete all the lines that are included in the section:

      [XXXDial] or [XXXSERVER]

    13. Close Notepad and save your changes when prompted.

8. Delete files created by the risk
  1. Click Start > Programs > Accessories > Windows Explorer
  2. Navigate to and delete the following files, if they exist:

    • %Windir%\Hot_Kiss_pw.ini
    • %Windir%\Adult_Chat_pw.ini
    • %Windir%\Ce_XXX_pw.ini
    • %Windir%\pcconfig.dat
    • %UserProfile%\Desktop\Hot_Kiss.lnk
    • %UserProfile%\Start Menu\Hot_Kiss.lnk
    • %UserProfile%\Desktop\Adult_Chat.lnk
    • %UserProfile%\Start Menu\Adult_Chat.lnk
    • %UserProfile%\Desktop\Ce_XXX.lnk
    • %UserProfile%\Start Menu\Ce_XXX.lnk

  3. Exit Windows Explorer