Threat Description

Offensive

Details

Aliases:Offensive, Trojan.JS.Offensive
Category:Malware
Type:Trojan
Platform:W32

Summary



Offensive is a trojan horse that is able to execute directly via a web page or a HTML formatted email message by using a security vulnerability in Internet Explorer.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

You may wish to refer to the Support Community for further assistance. You also may also refer to General Removal Instructions for a general guide on alternative disinfection actions.



Technical Details



When executed, the trojan creates the following registry keys:

  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
  RestrictRun
  NoChangeStartMenu
  NoClose
  NoDrives
  NoDriveTypeAutoRun
  NoFavoritesMenu
  NoFileMenu
  NoFind
  NoFolderOptions
  NoInternetIcon
  NoRecentDocsMenu
  NoLogOff
  NoRun
  NoSetActiveDesktop
  NoSetFolders
  NoSetTaskbar
  NoWindowsUpdate
  Nodesktop
  NoViewContextMenu
  NoNetHooD
  NoEntioeNetwork
  NoWorkgroupContents
  NoSaveSettings
 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\
  DisableRegistryTools
  NoConfigPage
  NoDevMgrPage
  NoDispAppearancePage
  NoDispScrSavPage
  NoDispBackgroundPage
  NoDispSettingsPage
  NoFileSysPage
  NoVirtMemPage
 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\WinOldApp\
  NoRealMode
  Disabled
 HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\
  Window Title
  Start Page
 HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\
  Window Title
  Start Page
 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Winlogon\
  LegalNoticeCaption
  LegalNoticeText
 HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{C18CB140-0BBB-11D4-8FE8-0088CC102438}\
  ButtonText
  CLSID
  Default Visible
  Exec
  MenuStatusBar
  MenuText
 HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\
  how to **** japanese
 HKEY_CLASSES_ROOT\Drive\shell\how to **** japan\
  command
 HKEY_LOCAL_MACHINE\Software\CLASSES\
  .exe
  .reg
  .htm
  .html
  .txt
  .inf
  .dll
  .ini
  .sys
  .com
  .bat
 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
  internat.exe;
  ScanRegistry
  TaskMonitor
  SystemTray
  LoadPowerProfile
 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\
  LoadPowerProfile
  SchedulingAgent

These changes to the registry render the system to unusable state.

The security vulnerability used by the trojan is known. A fix and further information is available from Microsoft:http://www.microsoft.com/technet/security/bulletin/MS00-075.asp





Technical Details: Sami Rautiainen, F-Secure Corporation; August 2001


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Scan & clean your PC

F-Secure Online Scanner will scan and clean your PC in just a few minutes for free

Learn More