This trojan uses the same vulnerability that JS/Kak and VBS/BubbleBoy
to drop itself to the Windows Startup directory.
This trojan consists of three different parts: one HTML web page, and
two hta files.
The web page is available in an adult site, and it affects Internet
Explorer users. Once a user visits that page it immediately drops a
file "runme.hta" in the Windows Startup directory and "removeit.hta"
in the root of the "C:" drive. Next time when the system is rebooted
it executes and changes the Internet Explorer and Netscape Navigator
startup page to www.sureseeker.com. It also modifies the Internet
Explorer default search pages to that location. These changes are made
to the registry, however, the trojan makes backup of these registry
settings to two files, "backup1.reg" and "backup2.reg" in the Windows
directory.
After that the trojan executes "removeit.hta", that simply deletes
"runme.hta" from the Windows Startup directory. On that way the user
cannot see the previosly dropped "runme.hta" file.
To protect yourself against the vulnerability that this trojan uses,
you can download and install the patch provided by Microsoft:
