Weekly Spyware Alert: IEAccess

IEAccess is an ActiveX control used to download and install premium-rate dialers, primarily for porn sites.

Aliases: eGroup

Variants: IEAccess/IEDial and IEAccess/HTMLAccess are similar but use different filenames and IDs.

IEAccess is an ActiveX control used to download and install premium-rate dialers*, primarily for porn sites.

* Dialers are a type of software typically used by vendors serving pornography via the Internet. Once dialer software is downloaded, the user is disconnected from their modems usual Internet service provider, connected to another phone number, and the user is billed. Dialers do not "spy" on their intended victims, but these malevolent programs can rack up significant long distance phone charges, costing victims time and money.

Method of Infection:
IEAccess is primarily installed by ActiveX drive-by-download on porn-related pages from nocreditcard.net and sex-explorer.com. These pages may be redirected to or opened by pop-up advertising.

*The IEDial variant is known to exploit a security hole to install automatically, without prompting, on Internet Explorer versions earlier than IE6 Service Pack 1. The installer pages exploit this security hole to run an EXE which adds Electronic Group to the list of trusted publishers whose software IE will install automatically without asking.

Privacy Issues:
While dialers do not specifically invade privacy by stealing credit card numbers, they are credited with resulting in thousands of dollars in unauthorized telephone charges. Whats worse, most victims wont even know they have a dialer on their PC until they get their telephone bill.

Security Issues:
It is suspected that it may be possible to use an IEAccess ActiveX control on any web page to cause arbitrary unsigned code to be executed.

Stability Issues:
None reported

Removal Process:
The removal of any dialer program requires knowledge of the Windows registry. Without an anti-spyware software program, removal of IEAccess and its variants can be a difficult process. Running a good anti-spyware program on a daily, or weekly basis, will alert you to the presence of (and completely remove) dialers before significant charges can be made.

Manual Removal Steps:

  1. From Downloaded Program Files in the Windows folder, right-click the IEDial Class (IEDial variant) or HTMLAccess Class (HTMLAccess variant) entry and remove it. This will not actually remove the software.
  2. Next open a DOS command prompt window (from Start->Programs->Accessories) and enter the following commands,
    1. for the IEDial variant: cd "%WinDir%\System" regsvr32.exe /u IEAccess2.dll
    2. Or, for the HTMLAccess variant: cd "%WinDir%\System" regsvr32.exe /u DHTMLAccess.dll
  3. You can now delete the IEAccess2.dll or DHTMLAccess file in the System folder (which is inside the Windows folder, called System32 on Windows NT, 2000 and XP, or just System on Windows 95, 98 and Me.)
  4. Next open the registry (Start->Run->regedit) and delete the key HKEY_CURRENT_USER\Software\egroup
  5. Finally, check whether Electronic Group has been added to your Trusted Publishers list, from Internet Options->Content->Certificates->Publishers. If so, delete the entry, then open the registry (Start->Run->regedit) and find the key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Trust Database\0. Delete the entry with the value ELECTRONIC GROUP

IEAccess may have downloaded more than one unwanted dialers. Look for an eGroup folder in the Windows folder, as well as entries the more usual Program Files folder. Check and delete any dialers you find.

Electronic Group are also known to distribute at least two other dialers, StripPlayer and DialerOffline.