Threat Description

Offensive

Details

Aliases: Offensive, Trojan.JS.Offensive
Category: Malware
Type: Trojan
Platform: W32

Summary



Offensive is a trojan horse that is able to execute directly via a web page or a HTML formatted email message by using a security vulnerability in Internet Explorer.



Removal



Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.



Technical Details



When executed, the trojan creates the following registry keys:

  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
        RestrictRun
        NoChangeStartMenu
        NoClose
        NoDrives
        NoDriveTypeAutoRun
        NoFavoritesMenu
        NoFileMenu
        NoFind
        NoFolderOptions
        NoInternetIcon
        NoRecentDocsMenu
        NoLogOff
        NoRun
        NoSetActiveDesktop
        NoSetFolders
        NoSetTaskbar
        NoWindowsUpdate
        Nodesktop
        NoViewContextMenu
        NoNetHooD
        NoEntioeNetwork
        NoWorkgroupContents
        NoSaveSettings
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\
        DisableRegistryTools
        NoConfigPage
        NoDevMgrPage
        NoDispAppearancePage
        NoDispScrSavPage
        NoDispBackgroundPage
        NoDispSettingsPage
        NoFileSysPage
        NoVirtMemPage
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\WinOldApp\
        NoRealMode
        Disabled
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\
        Window Title
        Start Page
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\
        Window Title
        Start Page
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Winlogon\
        LegalNoticeCaption
        LegalNoticeText
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{C18CB140-0BBB-11D4-8FE8-0088CC102438}\
        ButtonText
        CLSID
        Default Visible
        Exec
        MenuStatusBar
        MenuText
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\
        how to **** japanese
    HKEY_CLASSES_ROOT\Drive\shell\how to **** japan\
        command
    HKEY_LOCAL_MACHINE\Software\CLASSES\
        .exe
        .reg
        .htm
        .html
        .txt
        .inf
        .dll
        .ini
        .sys
        .com
        .bat
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
        internat.exe;
        ScanRegistry
        TaskMonitor
        SystemTray
        LoadPowerProfile
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\
        LoadPowerProfile
        SchedulingAgent

These changes to the registry render the system to unusable state.

The security vulnerability used by the trojan is known. A fix and further information is available from Microsoft: http://www.microsoft.com/technet/security/bulletin/MS00-075.asp





Technical Details: Sami Rautiainen, F-Secure Corporation; August 2001


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Scan & clean your PC

F-Secure Online Scanner will scan and clean your PC in just a few minutes for free

Learn More