Eng
  1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar


Offensive


Aliases:


Offensive
Trojan.JS.Offensive

Malware
Trojan
W32

Summary

Offensive is a trojan horse that is able to execute directly via a web page or a HTML formatted email message by using a security vulnerability in Internet Explorer.



Disinfection & Removal

Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.



Technical Details

When executed, the trojan creates the following registry keys:

  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
        RestrictRun
        NoChangeStartMenu
        NoClose
        NoDrives
        NoDriveTypeAutoRun
        NoFavoritesMenu
        NoFileMenu
        NoFind
        NoFolderOptions
        NoInternetIcon
        NoRecentDocsMenu
        NoLogOff
        NoRun
        NoSetActiveDesktop
        NoSetFolders
        NoSetTaskbar
        NoWindowsUpdate
        Nodesktop
        NoViewContextMenu
        NoNetHooD
        NoEntioeNetwork
        NoWorkgroupContents
        NoSaveSettings
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\
        DisableRegistryTools
        NoConfigPage
        NoDevMgrPage
        NoDispAppearancePage
        NoDispScrSavPage
        NoDispBackgroundPage
        NoDispSettingsPage
        NoFileSysPage
        NoVirtMemPage
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\WinOldApp\
        NoRealMode
        Disabled
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\
        Window Title
        Start Page
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\
        Window Title
        Start Page
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Winlogon\
        LegalNoticeCaption
        LegalNoticeText
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{C18CB140-0BBB-11D4-8FE8-0088CC102438}\
        ButtonText
        CLSID
        Default Visible
        Exec
        MenuStatusBar
        MenuText
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\
        how to **** japanese
    HKEY_CLASSES_ROOT\Drive\shell\how to **** japan\
        command
    HKEY_LOCAL_MACHINE\Software\CLASSES\
        .exe
        .reg
        .htm
        .html
        .txt
        .inf
        .dll
        .ini
        .sys
        .com
        .bat
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
        internat.exe;
        ScanRegistry
        TaskMonitor
        SystemTray
        LoadPowerProfile
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\
        LoadPowerProfile
        SchedulingAgent

These changes to the registry render the system to unusable state.

The security vulnerability used by the trojan is known. A fix and further information is available from Microsoft: http://www.microsoft.com/technet/security/bulletin/MS00-075.asp





Technical Details: Sami Rautiainen, F-Secure Corporation; August 2001



Submit a sample




Wondering if a file or URL is malicious? Submit a sample to our Lab for analysis via the Sample Analysis System (SAS)

Give And Get Advice




Give advice. Get advice. Share the knowledge on our free discussion forum.

Scan and clean your PC




F-Secure Online Scanner will scan and clean your PC in just a few minutes for free