Parasite: OnlineDialer

This record last updated Tue Sep 20 2005 00:34:15

PLEASE NOTE: Due to the overwhelming extent of this problem and the unbelievable volume of email we have received, we regret that we cannot respond to questions about browser parasites at this time. If you have attempted to contact us about this parasite please accept our apology for not responding. "Thank you's" are always appreciated ;-)

Description

An ActiveX drive-by-installer used primarily to load premium-rate phone diallers.

Variants

OnlineDialer/MaConnect: filename MaConnect.dll; object name ‘Loader class’; signed by ‘AGUILA ESTATES SL’; typically downloaded from online-dialer.com.

OnlineDialer/eConnect: filename eConnect.dll; object name ‘eConn class’; signed by ‘liberECO payment solutions GmbH & Co. KG’; typically downloaded from libereco.net.

OnlineDialer/IEDialer: filename IEDialer.dll; object name ‘IELoaderCtl class’; signed by ‘liberECO payment solutions GmbH & Co. KG’; typically downloaded from libereco.net.

OnlineDialer/VLoading: filename VLoading.dll; object name ‘Download class’; signed by ‘EBS electronic billing systems AG’ or ‘Borkum 317. VV GmbH’; typically downloaded from 0190-dialer.com.

OnlineDialer/SunInfo: filename SunInfoConnect.dll; object name ‘snConnect class’; signed by ‘Sun Infomedia S.L.’; typically downloaded from 4netmedia.com or bcnx.com.

OnlineDialer/BelCall: filename BelCallConnect.dll, unknown origin.

OnlineDialer/Ole: filename Ole32ws.dll; object name ‘Moniker32 class’; signed by ‘HALDEX Ltd.’; typically downloaded from start.online-dialer.com or 63.219.181.7. Loads the RichFind parasite instead of a dialler.

OnlineDialer/Ole is typically distributed in a file called ‘cax.cab’; it is, however, quite different code to the DialerMaker/Cax parasite, also distributed in a file of this name. However both diallers exhibit the same behaviour and security problems, and the OnlineDialer-related site dl.dialerssolution.com has also installed DialerMaker/Cax.

Distribution

Installed by ActiveX drive-by-download on many sites, pop-up ads and junk e-mail (spam), typically porn-related.

Some particularly aggressive installer pages open a JavaScript error and try again if you click ‘No’ to the install box, to try to force you to install the software. In this case all you can do is go to the Task Manager (Ctrl-Alt-Delete) and kill Internet Explorer.

The Ole variant is installed by CoolWebSearch-related security hole exploits.

What it does

Advertising

No.

Privacy violation

No.

Security issues

Yes. Any web page can direct it to install arbitrary executable code downloaded from its home server.

Stability problems

No.

Removal

Ensure Internet Explorer windows are closed, then open ‘Downloaded Program Files’ in the Windows folder. Delete the entry corresponding to OnlineDialer (it will have one of the object names mentioned above; the object name for BelCall is not currently known, but you should be able to check where it comes from by right-clicking them and choosing ‘Properties’).

OnlineDialer may have installed an unwanted dialler. Open the Program Files folder and delete the ‘OnlineDialer’ folder if you have it, along with the shortcuts it adds to the Desktop, Start, and Programs menus.