IEAccess

Description

IEAccess is an ActiveX control used to download and install premium-rate diallers, primarily for porn sites.

Variants

IEAccess/IEDialIEAccess/HTMLAccess and IEAccess/HTMLDialer are broadly similar but use different filenames and IDs.

IEAccess/EGDial is based on IEAccess/HTMLDialer, with an extra file.

Also known as

eGroup, by Spybot S&D, from the name of its makers.

Distribution

Installed by ActiveX drive-by-download by porn-related pages from nocreditcard.net and sex-explorer.com, which may be opened or redirected to by pop-up advertising.

The IEDial variant is known to be installed automatically, without prompting, on Internet Explorer versions earlier than IE6 Service Pack 1, thanks to a security hole. The installer pages exploit this to run an EXE which adds ‘Electronic Group’ to the list of trusted publishers whose software IE will install automatically without asking.

Electronic Group are also known to distribute at least two other types of stealth-installed dialer, StripPlayer and DialerOffline.

What it does

Advertising

No.

Privacy violation

No.

Security issues

It is suspected that it may be possible to use an IEAccess ActiveX control on any web page to cause arbitrary unsigned code to be executed. IEAccess/EGDial may also install the MagicControl parasite.

Stability problems

None known.

Removal

Spybot S&D update 2002-11-17 and later can remove IEAccess/IEDial.

Manual removal

From ‘Downloaded Program Files’ in the Windows folder, right-click the ‘IEDial Class’ (IEDial variant), ‘HTMLAccess Class’ (HTMLAccess variant), ‘HTMLDialer Class’ (HTMLDialer variant) or ‘{2ABE804B-4D3A-41BF-A172-304627874B45}’ (EGDial variant) entry and remove it.

This does not actually get rid of the software, so open a DOS command prompt window (from Start->Programs->Accessories) and enter the following commands, for the IEDial variant:

cd "%WinDir%\System"
regsvr32.exe /u IEAccess2.dll

Or, for the HTMLAccess variant:

cd "%WinDir%\System"
regsvr32.exe /u DHTMLAccess.dll

Or, for the HTMLDialer variant:

cd "%WinDir%\System"
regsvr32.exe /u EGHTMLDialer.dll

Or, for the EGDial variant, you’ll need to find out the filename of the DLL responsible. Open the System folder (which is inside the Windows folder, and called ‘System32’ on Windows NT, 2000 and XP), and look for a filename beginning ‘EGDHTML’; known filenames include ‘EGDHTML_1015.dll’, ‘EGDHTML_1017.dll’ and ‘EGDHTML_1019.dll’. Enter the following commands, substituting the correct number:

cd "%WinDir%\System"
regsvr32.exe /u EGDHTML_1019.dll

You can now delete the ‘IEAccess2.dll’ (IEAccess variant), ‘DHTMLAccess.dll’ (HTMLAccess), ‘EGHTMLDialer.dll’ (HTMLDialer) or ‘EGDHTML_number.dll’ (EGDial) file in the System folder (which is inside the Windows folder, called ‘System32’ on Windows NT, 2000 and XP, or just ‘System’ on Windows 95, 98 and Me.) The EGDial variant also sometimes leaves ‘EGDial.dll’ in the System folder; this too can be deleted.

Next open the registry (Start->Run->regedit) and delete the key ‘HKEY_CURRENT_USER\Software\egroup’.

Finally, check whether Electronic Group have been added to your Trusted Publishers list – at least the IEDial and EGDial variants have been seen to do this. Open Internet Options->Content->Certificates->Publishers. Delete the entry if it is there, then open the registry (Start->Run->regedit) and find the key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Trust Database. Delete the entry with the value ‘ELECTRONIC GROUP’.

IEAccess may have downloaded one or more unwanted diallers. Sometimes these may appear in an ‘eGroup’ folder in the Windows folder, as well as entries the more usual Program Files folder. Check and delete any diallers you find.