 Description
IEAccess is an ActiveX control used to download and install
premium-rate diallers, primarily for porn sites.
Variants
IEAccess/IEDial, IEAccess/HTMLAccess and
IEAccess/HTMLDialer are broadly similar but use different
filenames and IDs.
IEAccess/EGDial is based on IEAccess/HTMLDialer,
with an extra file.
Distribution
Installed by ActiveX drive-by-download by porn-related pages
from nocreditcard.net and sex-explorer.com, which may be opened
or redirected to by pop-up advertising.
The IEDial variant is known to be installed automatically,
without prompting, on Internet Explorer versions earlier than
IE6 Service Pack 1, thanks to a security hole. The installer
pages exploit this to run an EXE which adds 'Electronic Group'
to the list of trusted publishers whose software IE will install
automatically without asking.
Electronic Group are also known to distribute at least two
other types of stealth-installed dialer, StripPlayer and DialerOffline.
What it does
Advertising
No.
Privacy violation
No.
Security issues
It is suspected that it may be possible to use an IEAccess
ActiveX control on any web page to cause arbitrary unsigned
code to be executed. IEAccess/EGDial may also install the
MagicControl parasite.
Stability problems
None known.
Manual removal
From 'Downloaded Program Files' in the Windows folder, right-click
the 'IEDial Class' (IEDial variant), 'HTMLAccess Class' (HTMLAccess
variant), 'HTMLDialer Class' (HTMLDialer variant) or '{2ABE804B-4D3A-41BF-A172-304627874B45}'
(EGDial variant) entry and remove it.
This does not actually get rid of the software, so open a
DOS command prompt window (from Start->Programs->Accessories)
and enter the following commands, for the IEDial variant:
cd "%WinDir%\System"
regsvr32.exe /u IEAccess2.dll
Or, for the HTMLAccess variant:
cd "%WinDir%\System"
regsvr32.exe /u DHTMLAccess.dll
Or, for the HTMLDialer variant:
cd "%WinDir%\System"
regsvr32.exe /u EGHTMLDialer.dll
Or, for the EGDial variant, you'll need to find out the filename
of the DLL responsible. Open the System folder (which is inside
the Windows folder, and called 'System32' on Windows NT, 2000
and XP), and look for a filename beginning 'EGDHTML'; known
filenames include 'EGDHTML_1015.dll', 'EGDHTML_1017.dll' and
'EGDHTML_1019.dll'. Enter the following commands, substituting
the correct number:
cd "%WinDir%\System"
regsvr32.exe /u EGDHTML_1019.dll
You can now delete the 'IEAccess2.dll' (IEAccess variant),
'DHTMLAccess.dll' (HTMLAccess), 'EGHTMLDialer.dll' (HTMLDialer)
or 'EGDHTML_number.dll' (EGDial) file in the System folder
(which is inside the Windows folder, called 'System32' on
Windows NT, 2000 and XP, or just 'System' on Windows 95, 98
and Me.) The EGDial variant also sometimes leaves 'EGDial.dll'
in the System folder; this too can be deleted.
Next open the registry (Start->Run->regedit) and delete
the key 'HKEY_CURRENT_USER\Software\egroup'.
Finally, check whether Electronic Group have been added to
your Trusted Publishers list - at least the IEDial and EGDial
variants have been seen to do this. Open Internet Options->Content->Certificates->Publishers.
Delete the entry if it is there, then open the registry (Start->Run->regedit)
and find the key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust
Providers\Software Publishing\Trust Database\0. Delete the
entry with the value 'ELECTRONIC GROUP'.
IEAccess may have downloaded one or more unwanted diallers.
Sometimes these may appear in an 'eGroup' folder in the Windows
folder, as well as entries the more usual Program Files folder.
Check and delete any diallers you find.
|
