Threat Explorer

The Threat Explorer is a comprehensive resource consumers can turn to for daily, accurate, up-to-date information on the latest threats, risks and vulnerabilities.

Dialer.PornPaq.B

Dialer.PornPaq.B

Updated:
13 February 2007
Version:
6.1
Publisher:
Coulomb Ltd.
Risk Impact:
High
File Names:
Hardcore.exe
Systems Affected:
Windows

Behavior


Dialer.Pornpaq.B is a dialer program that attempts to access pornographic material by dialing a high-cost phone number using a modem.

Symptoms


The program, Hardcore.exe, is visible on the desktop.
  • Your Symantec program detects Dialer.PornPaq.B.


Behavior


The most common installation method for this dialer application is through various Web sites, mainly pornographic.

Antivirus Protection Dates

  • Initial Rapid Release version 02 October 2014 revision 022
  • Latest Rapid Release version 01 February 2015 revision 020
  • Initial Daily Certified version 23 February 2004
  • Latest Daily Certified version 17 January 2008 revision 033
  • Initial Weekly Certified release date 23 February 2004
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

When Dialer.Pornpaq.B is executed, it performs the following actions:
  1. Adds the subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Hardcore

  2. Copies itself to the desktop as Hardcore.exe.

  3. Attempts to contact the IP address 217.73.64.1 on UDP port 24687 to inform the remote computer of its status.

  4. Creates a Web server on TCP port 8081.


    Note: The server contains text and pictures that may be offensive.

  5. Opens Internet Explorer and points it to a page on the new Web server.

  6. If the user accepts the agreement on the Web site, the program will dial to another server.


    Note: The server states that, depending on the location of the computer, the billing rate will be either premium or international.



The following instructions pertain to all Symantec antivirus products that support Security Risk detection.
  1. Update the definitions.
  2. Close modem connections.
  3. Restart the computer in Safe mode.
  4. Run a full system scan and delete all the files detected as Dialer.Pornpaq.B.
  5. Reverse the changes made to the registry.

For details on each of these steps, read the following instructions.

1. Updating the definitions
To obtain the most recent definitions, start your Symantec program and run LiveUpdate

2. To close modem connections
This risk uses available modems to create an Internet connection, sometimes without any visible signs. In order to successfully remove this threat, ensure that all modem-based Internet connections are disconnected before proceeding. For instructions on how to do this, consult the appropriate Internet service provider, computer manufacturer, or operating system documentation.

3. Restarting the computer in Safe mode
Shut down the computer and turn off the power. Wait for at least 30 seconds, and then restart the computer in Safe mode. For instructions, read the document, "How to start the computer in Safe Mode ."

4. Scanning for and deleting the files
  1. Start your Symantec antivirus program and run a full system scan.
  2. If any files are detected as Dialer.Pornpaq.B, click Delete.


    Note: If your Symantec antivirus product reports that it cannot delete a detected file, write down the path and file name. Then use Windows Explorer to locate and delete the file.

5. Reversing the changes made to the registry


WARNING: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry ," for instructions.
  1. Click Start, and then click Run. (The Run dialog box appears.)
  2. Type regedit

    Then click OK. (The Registry Editor opens.)

  3. Delete the following registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Hardcore

  4. Exit the Registry Editor.