|
|
|
Trojan Horse Phone Dialler
Showing all messages in thread #1058397242
Windows Me Annoyances Discussion Forum
The following are all of the messages in this thread (5 in all), shown in chronological order. Click any message subject to view that message by itself or to view the thread hierarchy.
|
Trojan Horse Phone Dialler
Wednesday, July 16, 2003 at 4:14 pm
Posted by Steven Bradley
(1 messages posted)
Dear Sirs
I note that Emails received from OnePlayer and MP3.com are not certified as checked
by AVG. Is this significant using Outlook?
The following is a message sent to the UK’s premier rate phone call service
ICSTIS.
Further to my complaint about being billed for a call to Super Prem on 09090277021
(UK) costing over £1 per minute which I believed to be Internet related, my phone
company, Telewest agree that this was virus related, the call was apparently made
within 10 seconds of closing my normal ISP connection. I think this happened as
a result of clicking on a link received from MP3 for a music connection. I receive
regular anti virus software updates from AVG and the latest run, not a fortnight
ago when the call was made, has shown a virus called Trojan Horse Phone Dialler to
be present and “healed”. An Internet search using Google has shown that
many other people and organisations, mainly in the USA have suffered problems with
this virus and consequent premium rate phone bills (there are also solutions?).
I suspect that this problem involves calling the number above via a link in an Email
offering choices of music to listen to (some of which are completely legitimate).
It may well be that the fraud only happens if you are not already connected to your
usual ISP, other phone viruses have impersonated normal ISP’s but at Premium/Overseas
rates. Calling the number ordinarily just produces computer noise so it seems you
can only access this site if you have the virus. I believe the source to be connected
with RealOne player and MP3.com. after all it meaningless unless you have a media
player.
This virus seems to have been around for a while and is maybe “evolving”
to be more financially viable to its perpetuators. Is there anything you can do
to shut down this scam?
I’ve yet to hear anything from ICSTIS by the way.
Interestingly my anti virus programme which checks Emails appears to have been disabled
by Emails from both RealOne player and MP3.
Sorry about the length of this but if you are interested in the files infected they
are as follows:
Documents and Settings\Steven Charles Bradl\Local Settings\Temporary Internet Files\CONTENT.IE5\S9AN4T63\3156_1~1.EXE
repaired
C:\WINNT\Downloaded Program Files\3156.EXE repaired
C:\WINNT\SYSTEM32\windialup\3156\3156.EXE repaired
On a completely different view if people have problems using Windows 2000 they need
at least 128Mb’s of RAM as Windows consumes 70Mbt’s on it’s own.
Yours faithfully,
Steven Bradley
tebradley@ic24.net
[Reply or follow-up to this message]
| |
re: Trojan Horse Phone Dialler
Wednesday, July 16, 2003 at 7:32 pm
Posted by jabuck
(2274 messages posted)
Steven, Read this post on the dialer http://www.annoyances.org/exec/forum/winme/t1045523480
The only thing I could add would be download and install spyblaster
it stops many spywares before they install themselves. ---jabuck
On Wednesday, July 16, 2003 at 4:14 pm, Steven Bradley wrote:
>
>Dear Sirs
>
>I note that Emails received from OnePlayer and MP3.com are not certified as checked
>by AVG. Is this significant using Outlook?
>
>The following is a message sent to the UK’s premier rate phone call service
>ICSTIS.
>
>Further to my complaint about being billed for a call to Super Prem on 09090277021
>(UK) costing over £1 per minute which I believed to be Internet related, my phone
>company, Telewest agree that this was virus related, the call was apparently made
>within 10 seconds of closing my normal ISP connection. I think this happened as
>a result of clicking on a link received from MP3 for a music connection. I receive
>regular anti virus software updates from AVG and the latest run, not a fortnight
>ago when the call was made, has shown a virus called Trojan Horse Phone Dialler
to
>be present and “healed”. An Internet search using Google has shown that
>many other people and organisations, mainly in the USA have suffered problems with
>this virus and consequent premium rate phone bills (there are also solutions?).
>
>I suspect that this problem involves calling the number above via a link in an Email
>offering choices of music to listen to (some of which are completely legitimate).
> It may well be that the fraud only happens if you are not already connected to
your
>usual ISP, other phone viruses have impersonated normal ISP’s but at Premium/Overseas
>rates. Calling the number ordinarily just produces computer noise so it seems
you
>can only access this site if you have the virus. I believe the source to be connected
>with RealOne player and MP3.com. after all it meaningless unless you have a media
>player.
>
>This virus seems to have been around for a while and is maybe “evolving”
>to be more financially viable to its perpetuators. Is there anything you can do
>to shut down this scam?
>
> I’ve yet to hear anything from ICSTIS by the way.
>
>Interestingly my anti virus programme which checks Emails appears to have been disabled
>by Emails from both RealOne player and MP3.
>Sorry about the length of this but if you are interested in the files infected they
>are as follows:
>
>Documents and Settings\Steven Charles Bradl\Local Settings\Temporary Internet Files\CONTENT.IE5\S9AN4T63\3156_1~1.EXE
>repaired
>C:\WINNT\Downloaded Program Files\3156.EXE repaired
>C:\WINNT\SYSTEM32\windialup\3156\3156.EXE repaired
>
[Reply or follow-up to this message]
|
re: Trojan Horse Phone Dialler
Thursday, July 17, 2003 at 2:01 pm
Posted by Ogg
(274 messages posted)
I recently spent a lot of time removing a similar "dialer" from a friend's computer.
It was something called HotAction_ca. It also seemed to work in conjunction with
something called "Dluca". I used Ad-Aware to identify them. HotAction was very
clever; it would replicate itself into different versions as I tried to delete it.
HotAction/Dluca were responsible for dialing out to some small island community
near Australia, but the "service" was UK-based. The phone bills had already reached
$700 in the following bill before any of this was detected.
On Wednesday, July 16, 2003 at 4:14 pm, Steven Bradley wrote:
>
>Dear Sirs
>
>I note that Emails received from OnePlayer and MP3.com are not certified as checked
>by AVG. Is this significant using Outlook?
>
>The following is a message sent to the UK’s premier rate phone call service
>ICSTIS.
>
>Further to my complaint about being billed for a call to Super Prem on 09090277021
>(UK) costing over £1 per minute which I believed to be Internet related, my phone
>company, Telewest agree that this was virus related..
[Reply or follow-up to this message]
|
re: Trojan Horse Phone Dialler
Wednesday, August 27, 2003 at 6:22 pm
Posted by frank
(1 messages posted)
The reference to ...hotaction_ca. A window pops up whenever I open my computer saying
that 'hotaction_ca' has 'made an illegal ' entry. I can close but the window says
"if this persists contact the provider'. Of course I cant find the provider. Any
thoughts on how I can stop this window popping up to tell me of 'hotaction_ca''s
illegal attempts? I've checked with my long-distance phone provider but there has
been no abnormal use of my phone line.
Any help appreciated.
FC
On Thursday, July 17, 2003 at 2:01 pm, ogg wrote:
>I recently spent a lot of time removing a similar "dialer" from a friend's computer.
> It was something called HotAction_ca. It also seemed to work in conjunction with
>something called "Dluca". I used Ad-Aware to identify them. HotAction was very
>clever; it would replicate itself into different versions as I tried to delete it.
> HotAction/Dluca were responsible for dialing out to some small island community
>near Australia, but the "service" was UK-based. The phone bills had already reached
>$700 in the following bill before any of this was detected.
>
>
[Reply or follow-up to this message]
|
re: Trojan Horse Phone Dialler
Thursday, August 28, 2003 at 8:49 pm
Posted by Ogg
(274 messages posted)
Hello Frank.. Do a file-search for "dluca" and "hot" on your system. Delete all
occurences of matches for "dluca" and anything that resembles the words "hot action"
in the name. You may discover, as I did, that as you delete one occurence of "dluca"
and "hot action", the system might created another copy! But keep plugging at it.
At the same time, I highly recommend you use AD-AWARE. That's the product that
eventually removed the maleware hideing deep in the Registry and in other various
directories on the system.
Hope this helps. Let me know how it goes.
On Wednesday, August 27, 2003 at 6:22 pm, frank wrote:
>
>The reference to ...hotaction_ca. A window pops up whenever I open my computer saying
>that 'hotaction_ca' has 'made an illegal ' entry. I can close but the window says
>"if this persists contact the provider'. Of course I cant find the provider. Any
>thoughts on how I can stop this window popping up to tell me of 'hotaction_ca''s
>illegal attempts? I've checked with my long-distance phone provider but there has
>been no abnormal use of my phone line.
>Any help appreciated.
>FC
>
[Reply or follow-up to this message]
| |
Tip: Use one of the [Reply or follow-up to this message] links above to add a message to this thread
| |
Return to the Windows Me Discussion Forum
|
|
|
|
