F-Secure Virus Descriptions : Needy

NAME:	Needy
ALIAS:	Java/Needy.A

Needy is a Java applet based trojan that changes the Internet Explorer start page and search settings to ones contained in the trojan. Needy activates when user views a web page or HTML email that contains reference to the trojan file.

Needy does not replicate and does not infect host system, the only operations it does is to set the Internet Explorer settings.

Technical details

When a JAR file containing the trojan is executed it uses Microsoft Internet Explorer VerifierBug vulnerability to get full privileges by escaping the Java security, and execute its code. Then the trojan creates a temporary file for registry settings and modifies the registry using regedit.exe.

The trojan modifies following registry keys:

  [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
  Use Search Asst
  Search Page
  Start Page
  Search Bar

  [HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search]
  SearchAssistant

To remove Needy.A from your system apply the fix to the Java VM vulnerability, clear temporary Internet files cache and remove the Internet Explorer settings modifications using IE Internet options menu.

Further information about the vulnerability in the Microsoft Java VM, including a fix, is available at: http://www.microsoft.com/technet/security/bulletin/ms03-011.asp

VARIANT: Needy.B

ALIAS: Java/Needy.B, Trojan/Java/Startpage.D

This variant is functionally close to Needy.A in addition of modifying Internet Explorer search settings as Needy.A does, it also adds a list of pornographic shortcuts to browser favourite and adds a pornographic shortcut to desktop.

[Analysis: Jarno Niemela, Sami Rautiainen and Katrin Tocheva, F-Secure Corp., June 24 - September 2nd, 2003]