Threat Description

Seeker

Details

Aliases:Seeker
Category:Malware
Type:Trojan
Platform:W32

Summary



This trojan uses the same vulnerability that JS/Kak and VBS/BubbleBoy to drop itself to the Windows Startup directory.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

You may wish to refer to the Support Community for further assistance. You also may also refer to General Removal Instructions for a general guide on alternative disinfection actions.



Technical Details



This trojan consists of three different parts: one HTML web page, and two hta files.

The web page is available in an adult site, and it affects Internet Explorer users. Once a user visits that page it immediately drops a file "runme.hta" in the Windows Startup directory and "removeit.hta" in the root of the "C:" drive. Next time when the system is rebooted it executes and changes the Internet Explorer and Netscape Navigator startup page to www.sureseeker.com. It also modifies the Internet Explorer default search pages to that location. These changes are made to the registry, however, the trojan makes backup of these registry settings to two files, "backup1.reg" and "backup2.reg" in the Windows directory.

After that the trojan executes "removeit.hta", that simply deletes "runme.hta" from the Windows Startup directory. On that way the user cannot see the previosly dropped "runme.hta" file.

To protect yourself against the vulnerability that this trojan uses, you can download and install the patch provided by Microsoft:

http://www.microsoft.com/technet/security/bulletin/ms99-032.asp





Technical Details: Katrin Tocheva and Sami Rautiainen, F-Secure; October 2000


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Scan & clean your PC

F-Secure Online Scanner will scan and clean your PC in just a few minutes for free

Learn More