Threat Profile: PornDial-143

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home N/A | Corporate N/A
Date Discovered: 1/20/2003
Date Added: 1/20/2003
Origin: The Netherlands
Length: 102.932 bytes
Type: Program
Subtype: PornDialer
DAT Required: 4246
Removal Instructions
   
 
 
   

Description

This is a Potentially Unwanted Program (PUP) detection. It is not a virus or trojan. PUPs are any piece of software which a reasonably security-or privacy-minded computer user may want to be informed of.

Symptoms

-Presence of msite18.exe in the %windows\%system directory

Method

The file "msite18.exe" may arrive in an "spam" e-mail as file attachment. The file is not started automatically and the user has to manually doubleclick on the file in order for it to get executed.
   

Virus Characteristics

This is a porn dialer application that installs itself to run at system startup. A porn dialer is simply a program that is used to dial into a pornographic "service". Some porn dialers do not advertise that extremely high phone bills may result from using their service.
/PROGRAM detection is being added for this "potentially unwanted application". The current command-line scanner makes use of such detections, as does VirusScan 7.

The "msite18.exe" (102.932 bytes) is a 32 bit executable file, it's packed internally with UPX. When run, the program copies itself silently into the %windows\%system directory, example on win2000: copied itself to "c:\winnt\system32\msite18.exe"

PornDial-143 doesn't show it's presence visible but it gets loaded at system start. It makes entries to the registry such as:

-HKEY_CLASSES\ROOT\MS-Connect.Scriptfile\shell\open\command
"c:\winnt\system32\msite18.exe" %1

-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\
MS-Connect "c:\winnt\system32\msite18.exe"

In the windows taskmanager, the process msite18.exe is visble and can be killed manually. (Note that Virusscan is able to kill the process automatically.)