F-Secure
Tools
Trojan:W32/Needy
Summary
A trojan, or trojan horse, is a seemingly legitimate program which secretly performs other, usually malicious, functions. It is usually user-initiated and does not replicate.Disinfection
Allow F-Secure Anti-Virus to disinfect the relevant files.
For more general information on disinfection, please see Removal Instructions.
Additional Details
Trojan:W32/Needy is a Java-applet based program that changes the Internet Explorer start page and search settings to ones contained in the trojan. Needy activates when user views a web page or HTML email that contains reference to the trojan file.
Execution
When a JAR file containing the trojan is executed it uses Microsoft Internet Explorer VerifierBug vulnerability to get full privileges by escaping the Java security, and execute its code. Then the trojan creates a temporary file for registry settings and modifies the registry using regedit.exe.
The trojan modifies following registry keys:
To remove Needy.A from your system apply the fix to the Java VM vulnerability, clear temporary Internet files cache and remove the Internet Explorer settings modifications using IE Internet options menu.
Further information about the vulnerability in the Microsoft Java VM, including a fix, is available at: http://www.microsoft.com/technet/security/bulletin/ms03-011.asp
Variants
Needy.B
This variant is functionally close to Needy.A in addition of modifying Internet Explorer search settings as Needy.A does, it also adds a list of pornographic shortcuts to browser favourite and adds a pornographic shortcut to desktop.
Execution
When a JAR file containing the trojan is executed it uses Microsoft Internet Explorer VerifierBug vulnerability to get full privileges by escaping the Java security, and execute its code. Then the trojan creates a temporary file for registry settings and modifies the registry using regedit.exe.
The trojan modifies following registry keys:
- [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
Use Search Asst
Search Page
Start Page
Search Bar - [HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search]
SearchAssistant
To remove Needy.A from your system apply the fix to the Java VM vulnerability, clear temporary Internet files cache and remove the Internet Explorer settings modifications using IE Internet options menu.
Further information about the vulnerability in the Microsoft Java VM, including a fix, is available at: http://www.microsoft.com/technet/security/bulletin/ms03-011.asp
Variants
Needy.B
This variant is functionally close to Needy.A in addition of modifying Internet Explorer search settings as Needy.A does, it also adds a list of pornographic shortcuts to browser favourite and adds a pornographic shortcut to desktop.
| Variant: | Needy.B |
This variant is functionally close to Needy.A in addition of modifying Internet Explorer search settings as Needy.A does, it also adds a list of pornographic shortcuts to browser favourite and adds a pornographic shortcut to desktop.