InterMute > Threat Research

Wonderland is a simple ActiveX-controlled dialler originating in Italy.

When activated by any web site, it immediately disconnects the current internet connection and dials a premium-rate number without prompting.

Variants

Wonderland/Plus is the most widely seen variant. Wonderland/Web, 05, 07, 91 and 33107 are pretty much the same code but with different class IDs and different phone numbers.

Distribution

ActiveX drive-by download, suspected to come from pop-up adverts.

What it does

Advertising

No.

Privacy violation

No.

Security issues

No.

Stability problems

On some DSL setups, if no additional modem/ISDN connection is available, Wonderland will be unable to dial up and will cause Internet Explorer to hang indefinitely.

Removal

Open the Downloaded Program Files folder inside the Windows folder. There should be an entry called 'WonderPlus.Wonder_Plus', or 'WonderWeb.Wonder_Web' (Web variant), or 'Cab33107.Cab_33107' (33107 variant). Right-click it and choose 'Delete'.

Next go to the Dial-up connections folder (on Windows 95/98/Me this is 'Dial-up Networking' inside My Computer; in Windows NT/2000/XP it is to be found under 'Network Connections' in the Control Panel). Delete the 'WonderPlus' or 'Wonderplay' entry.