Limited Time!
Totally FREE Web Design!
Click here!

Parasite: MatrixDialer

This record last updated Tue Sep 20 2005 00:34:15

PLEASE NOTE: Due to the overwhelming extent of this problem and the unbelievable volume of email we have received, we regret that we cannot respond to questions about browser parasites at this time. If you have attempted to contact us about this parasite please accept our apology for not responding. "Thank you's" are always appreciated ;-)

Description

An ActiveX installer control for premium-rate phone diallers, distributed by Spanish company Matrix Technology Network.

Variants

MatrixDialer/Lanzar: uses the file msa32chk.dll in the System folder.

MatrixDialer/Mostrar: uses the file msa64chk.dll in the System folder, with new class ID.

Distribution

Installed by ActiveX drive-by-download from masminutos.com, usually on porn pop-ups. May be downloaded automatically when the 123Mania parasite has been installed.

What it does

Advertising

No.

Privacy violation

No.

Security issues

Yes, critical. Any HTML page can direct the ActiveX control to download and run arbitrary, unsigned executable code from any server.

MatrixDialer also compromises the Windows code-signing system so that its manufacturers are considered ‘Trusted publishers’ and can install further software from any web page even after MatrixDialer is removed.

Stability problems

None known.

Removal

Open the Downloaded Program Files folder inside the Windows folder, and delete the control called ‘Marcador Class’ (Lanzar variant) or ‘Matrix Class’ (Mostrar variant).

This does not, unfortunately, uninstall the software itself.

Manual removal

Next, open a DOS command prompt window (from Start->Programs->Accessories), and enter the following commands, for MatrixDialer/Lanzar:

cd "%WinDir%\System"
regsvr32 /u MSA32CHK.DLL

Or, for MatrixDialer/Mostrar:

cd "%WinDir%\System"
regsvr32 /u MSA64CHK.DLL

Open the registry (click ‘Start’, choose ‘Run’, enter ‘regedit’), and find the key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. Delete the entry called ‘Dialer’, which uses rundll32.exe to run msa32chk.dll (Lanzar variant), or the entry using rundll32.exe to run msa64chk.exe (Mostrar variant; this can have different names depending on where it was downloaded; it usually masquerades as an MP3 download tool).

Find the key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions, and delete the subkey {03FBB191-FB50-4154-91D7-587D5E3C0000}. (The last four digits may differ in the Mostrar variant.)

Open the Application Data folder. You can find this inside your user folder in ‘Documents and Settings’ on Windows 2000 or XP, or in your user folder in ‘Profiles’ in the Windows folder on Windows NT, or directly inside the Windows folder on Windows 95, 98 and Me. Delete the ‘MATRIX’ folder inside Application Data.

You can also delete MSA32CHK.DLL from the System folder (which is inside the Windows folder, and is called ‘System32’ on Windows NT, 2000 and XP), and any dialler icons added to your desktop and Start menu.

Finally, open Internet Options (form the Control Panel or Tools->Options in IE) and click the ‘Publishers’ button on the ‘Content’ tab. Remove any entries in the ‘Trusted Publishers’ list that refer to ‘Matrix Technology Network SA’, ‘Futurpago SA’, ‘Desarrollos Huella Digital, S.L.’ or ‘MSN Technologies, S.L.’. (Normally, it is a good idea to keep this list completely empty.)