Behavior
Dialer.Nunci is a dialer program that attempts to dial a high-cost number using a modem and changes Internet Explorer start page.
Symptoms
The modem unexpectedly dials long-distance phone numbers and Internet Explorer start page may be changed. Your Symantec program detects Dialer.Nunci.
Transmission
May be installed when certain Web pages are visited. The user must agree to the installation.
technical details
File names: SYS.EXE
snss.exe
When Dialer.Nunci is installed, it does the following:
1. Displays the following message:
Title: FOTO - ANNUNCI - FILM - VIDEOCHAT
Message: Per entrare premi il tasto "OK" accettando le "Condizioni del Servizio".
2. Copies itself as %System%\Winx\SYS.EXE
Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
3. Drops the file %System%`\snss.exe, which is a component that periodically checks for dialer installation.
4. Creates the following .lnk files, which link to the copy of the dialer executable:
* %UserProfile%\Desktop\FOTO - ANNUNCI - FILM - VIDEOCHAT.lnk
* %UserProfile%\Start Menu\Programs\FOTO - ANNUNCI - FILM - VIDEOCHAT.lnk
* %UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\FOTO - ANNUNCI - FILM - VIDEOCHAT.lnk
Note: %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[Current User] (Windows NT/2000/XP).
5. Creates a dial-up connection named RENConnector. This connection is configured to connect to a high-cost number.
6. May add the following line to the file %System%\drivers\etc\hosts, in order to change the default search page with a different web site:
205.214.67.211 auto.search.msn.com
7. Changes the Internet Explorer home page to a Web site on the
www.ricerchefacili.com domain.
8. Tries to contact the remote web site
www.vanitosa.com 9. Adds the following subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{54F7FD6E-E782-4F9F-8FF0-677090048729}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{54F7FD6E-E782-4F9F-8FF0-677090048729}\Date
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{54F7FD6E-E782-4F9F-8FF0-677090048729}\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{54F7FD6E-E782-4F9F-8FF0-677090048729}\DisplayVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{54F7FD6E-E782-4F9F-8FF0-677090048729}\HelpTelephone
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{54F7FD6E-E782-4F9F-8FF0-677090048729}\Publisher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{54F7FD6E-E782-4F9F-8FF0-677090048729}\UninstallString
HKEY_CURRENT_USER\Software\Freeware\{AC5ACED1-97DB-4A2A-81A9-ACFC8ECA1085}
HKEY_CURRENT_USER\Software\Freeware\{FFB51760-344E-4FFB-BFFF-4B18C7AC1D63}
10. Adds the values:
"Connector" = "%System%\Winx\SYS.EXE -n"
"SNSS.EXE" = "%System%\snss.exe"
to the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
so that the dialer runs every time Windows starts.
REMOVAL INSTRUCTIONSSee:
http://securityresponse.symantec.com/avcenter/venc/data/dialer.nunci.htmlReverse the changes that were made to the registry 1. Click Start > Run.
2. Type regedit
Then click OK.
3. Navigate to the subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
4. In the right pane, delete the values:
"Connector" = "%System%\Winx\SYS.EXE -n"
"SNSS.EXE" = "%System%\snss.exe"
5. Navigate to and delete the subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{54F7FD6E-E782-4F9F-8FF0-677090048729}
HKEY_CURRENT_USER\Software\Freeware\{AC5ACED1-97DB-4A2A-81A9-ACFC8ECA1085}
HKEY_CURRENT_USER\Software\Freeware\{FFB51760-344E-4FFB-BFFF-4B18C7AC1D63}
7. To delete the added lines from the Windows Hosts file
Note: The location of the Hosts file may vary and some computers may not have this file. For example, if the file exists in Windows 98, it will usually be in C:\Windows; and it is located in the C:\WINNT\system32\drivers\etc folder in Windows 2000. There may also be multiple copies of this file in different locations.
Follow the instructions for your operating system:
* Windows 95/98/Me/NT/2000
1. Click Start, point to Find or Search, and then click Files or Folders.
2. Make sure that "Look in" is set to (C:) and that "Include subfolders" is checked.
3. In the "Named" or "Search for..." box, type:
hosts
4. Click Find Now or Search Now.
5. For each Hosts file that you find, right-click the file, and then click "Open With."
6. Deselect the "Always use this program to open this program" check box.
7. Scroll through the list of programs and double-click Notepad.
8. When the file opens, delete all the entries in the Hosts file, except for the following line:
127.0.0.1 localhost
Note: If this line does not exist, add it to the file.
9. Close Notepad and save your changes when prompted.
* Windows XP
1. Click Start, and then click Search.
2. Click All files and folders.
3. In the "All or part of the file name" box, type:
hosts
4. Verify that "Look in" is set to "Local Hard Drives" or to (C:).
5. Click "More advanced options."
6. Check "Search system folders."
7. Check "Search subfolders."
8. Click Search.
9. Click Find Now or Search Now
10. For each Hosts file that you find, right-click the file, and then click "Open With."
11. Deselect the "Always use this program to open this program" check box.
12. Scroll through the list of programs and double-click Notepad.
13. When the file opens, delete all the entries in the Hosts file except for the following line:
127.0.0.1 localhost
Note: If this line does not exist, add it to the file.
14. Close Notepad and save your changes when prompted.
AlphaOne Technology Support Forums
Author
Logged
