Eng
  1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar


Offensive


Aliases:

Offensive
Trojan.JS.Offensive

Malware

W32

Summary

Offensive is a trojan horse that is able to execute directly via a web page or a HTML formatted email message by using a security vulnerability in Internet Explorer.



Disinfection & Removal

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.



Technical Details

When executed, the trojan creates the following registry keys:

  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
        RestrictRun
        NoChangeStartMenu
        NoClose
        NoDrives
        NoDriveTypeAutoRun
        NoFavoritesMenu
        NoFileMenu
        NoFind
        NoFolderOptions
        NoInternetIcon
        NoRecentDocsMenu
        NoLogOff
        NoRun
        NoSetActiveDesktop
        NoSetFolders
        NoSetTaskbar
        NoWindowsUpdate
        Nodesktop
        NoViewContextMenu
        NoNetHooD
        NoEntioeNetwork
        NoWorkgroupContents
        NoSaveSettings
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\
        DisableRegistryTools
        NoConfigPage
        NoDevMgrPage
        NoDispAppearancePage
        NoDispScrSavPage
        NoDispBackgroundPage
        NoDispSettingsPage
        NoFileSysPage
        NoVirtMemPage
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\WinOldApp\
        NoRealMode
        Disabled
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\
        Window Title
        Start Page
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\
        Window Title
        Start Page
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Winlogon\
        LegalNoticeCaption
        LegalNoticeText
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{C18CB140-0BBB-11D4-8FE8-0088CC102438}\
        ButtonText
        CLSID
        Default Visible
        Exec
        MenuStatusBar
        MenuText
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\
        how to **** japanese
    HKEY_CLASSES_ROOT\Drive\shell\how to **** japan\
        command
    HKEY_LOCAL_MACHINE\Software\CLASSES\
        .exe
        .reg
        .htm
        .html
        .txt
        .inf
        .dll
        .ini
        .sys
        .com
        .bat
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
        internat.exe;
        ScanRegistry
        TaskMonitor
        SystemTray
        LoadPowerProfile
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\
        LoadPowerProfile
        SchedulingAgent

These changes to the registry render the system to unusable state.

The security vulnerability used by the trojan is known. A fix and further information is available from Microsoft: http://www.microsoft.com/technet/security/bulletin/MS00-075.asp






Technical Details: Sami Rautiainen, F-Secure Corporation; August 2001



Submit a sample

Wondering if a file or URL is malicious? Submit a sample to our Lab for analysis via the Sample Analysis System (SAS)



F-Secure Community

Give advice. Get advice. Share the knowledge on our free discussion forum.