F-Secure: Be Sure
Main
F-Secure Logo - Be Sure
Select local site


Privacy Policy
Legal Notices
Contact Us

F-Secure Virus Descriptions : Offensive





NAME:Offensive
ALIAS:Trojan.JS.Offensive

Offensive is a trojan horse that is able to execute directly via a web page or a HTML formatted email message by using a security vulnerability in Internet Explorer.

When executed, the trojan creates the following registry keys: 

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
        RestrictRun
        NoChangeStartMenu
        NoClose
        NoDrives
        NoDriveTypeAutoRun
        NoFavoritesMenu
        NoFileMenu
        NoFind
        NoFolderOptions
        NoInternetIcon
        NoRecentDocsMenu
        NoLogOff
        NoRun
        NoSetActiveDesktop
        NoSetFolders
        NoSetTaskbar
        NoWindowsUpdate
        Nodesktop
        NoViewContextMenu
        NoNetHooD
        NoEntioeNetwork
        NoWorkgroupContents
        NoSaveSettings


    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\
        DisableRegistryTools
        NoConfigPage
        NoDevMgrPage
        NoDispAppearancePage
        NoDispScrSavPage
        NoDispBackgroundPage
        NoDispSettingsPage
        NoFileSysPage
        NoVirtMemPage


    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\WinOldApp\
        NoRealMode
        Disabled


    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\
        Window Title
        Start Page


    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\
        Window Title
        Start Page


    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Winlogon\
        LegalNoticeCaption
        LegalNoticeText


    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{C18CB140-0BBB-11D4-8FE8-0088CC102438}\
        ButtonText
        CLSID
        Default Visible
        Exec
        MenuStatusBar
        MenuText


    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\
        how to **** japanese


    HKEY_CLASSES_ROOT\Drive\shell\how to **** japan\
        command


    HKEY_LOCAL_MACHINE\Software\CLASSES\
        .exe
        .reg
        .htm
        .html
        .txt
        .inf
        .dll
        .ini
        .sys
        .com
        .bat


    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
        internat.exe;
        ScanRegistry
        TaskMonitor
        SystemTray
        LoadPowerProfile


    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\
        LoadPowerProfile
        SchedulingAgent

These changes to the registry render the system to unusable state.

The security vulnerability used by the trojan is known. A fix and further information is available from Microsoft: http://www.microsoft.com/technet/security/bulletin/MS00-075.asp

[Analysis: Sami Rautiainen, F-Secure Corporation; August 2001]