Dialer.SouthBeachTel

[TJ]

Behavior
Dialer.SouthBeachTel is a dialer program that attempts to dial a high-cost number using a modem.

Symptoms
The files are detected as Dialer.SouthBeachTel.

Transmission
May be installed when certain Web pages are visited. The user must agree to the installation.

technical details
File names:
updmgr.exe

WhenDialer.SouthBeachTel is executed, it performs the following actions:

   1. Copies itself as %Windir%\updmgr.exe.

      Note: %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

   2. Makes an outgoing connection to a server by dialing a high-cost number using the modem.

   3. Attempts to access the following Web site:

      [http://]www.217.97.161.9:80/[REMOVED]/index.html

   4. Adds the value:

      "UpdateMgr" = "%windir%\updmgr.exe $"

      to the registry subkey:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

      so that the risk runs every time Windows starts.

   5. Adds following subkey:

      HKEY_LOCAL_MACHINE\SOFTWARE\Access

   6. Adds the following text to the RAS phonebook file, rasphone.pbk:

      [access]

To delete the value from the registry
   1. Click Start > Run.
   2. Type regedit

      Then click OK.

   3. Navigate to the subkey:

      HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

   4. In the right pane, delete the value:

      "UpdateMgr" = "%windir%\updmgr.exe $"

   5. Navigate to and delete the subkey:

      HKEY_LOCAL_MACHINE\Software\Access

   6. Exit the Registry Editor.

To delete the entries added to the RAS phonebook file

Note: The location of the RAS phonebook file, rasphone.pbk, may vary and some computers may not have this file.

For example, if the file exists in Windows XP, it is usually located in the C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk folder.

Follow the instructions for your operating system:

    * Windows 95/98/Me/NT/2000
         1. Click Start, point to Find or Search, and then click Files or Folders.
         2. Make sure that "Look in" is set to (C:) and that "Include subfolders" is checked.
         3. In the "Named" or "Search for..." box, type:

            rasphone.pbk

         4. Click Find Now or Search Now.
         5. If you find rasphone.pbk, right-click the file, and then click Open With.
         6. Deselect the Always use this program to open this program check box.
         7. Scroll through the list of programs and double-click Notepad.
         8. When the file opens, delete all the lines that are included in the section:

            [access]

         9. Close Notepad and save your changes when prompted.

    * Windows XP
         1. Click Start, and then click Search.
         2. Click All files and folders.
         3. In the "All or part of the file name" box, type:

            rasphone.pbk

         4. Verify that "Look in" is set to "Local Hard Drives" or to (C:).
         5. Click More advanced options.
         6. Check Search system folders.
         7. Check Search subfolders.
         8. Click Search.
         9. If you find rasphone.pbk file, right-click the file, and then click Open With.
        10. Deselect the Always use this program to open this program check box.
        11. Scroll through the list of programs and double-click Notepad.
        12. When the file opens, delete all the lines that are included in the sections:

            [access]

        13. Close Notepad and save your changes when prompted.