Offensive

Threat description

Details

Summary

Offensive is a trojan horse that is able to execute directly via a web page or a HTML formatted email message by using a security vulnerability in Internet Explorer.

Removal

Automatic action

Depending on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the suspect file, or ask you for a desired action.

More scanning & removal options

More information on the scanning and removal options available in your F-Secure product can be found in the Help Center.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.

Technical Details

When executed, the trojan creates the following registry keys:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\



 RestrictRun



 NoChangeStartMenu



 NoClose



 NoDrives



 NoDriveTypeAutoRun



 NoFavoritesMenu



 NoFileMenu



 NoFind



 NoFolderOptions



 NoInternetIcon



 NoRecentDocsMenu



 NoLogOff



 NoRun



 NoSetActiveDesktop



 NoSetFolders



 NoSetTaskbar



 NoWindowsUpdate



 Nodesktop



 NoViewContextMenu



 NoNetHooD



 NoEntioeNetwork



 NoWorkgroupContents



 NoSaveSettings

 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\



 DisableRegistryTools



 NoConfigPage



 NoDevMgrPage



 NoDispAppearancePage



 NoDispScrSavPage



 NoDispBackgroundPage



 NoDispSettingsPage



 NoFileSysPage



 NoVirtMemPage

 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\WinOldApp\



 NoRealMode



 Disabled

 HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\



 Window Title



 Start Page

 HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\



 Window Title



 Start Page

 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Winlogon\



 LegalNoticeCaption



 LegalNoticeText

 HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{C18CB140-0BBB-11D4-8FE8-0088CC102438}\



 ButtonText



 CLSID



 Default Visible



 Exec



 MenuStatusBar



 MenuText

 HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\



 how to **** japanese

 HKEY_CLASSES_ROOT\Drive\shell\how to **** japan\



 command

 HKEY_LOCAL_MACHINE\Software\CLASSES\



 .exe



 .reg



 .htm



 .html



 .txt



 .inf



 .dll



 .ini



 .sys



 .com



 .bat

 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\



 internat.exe;



 ScanRegistry



 TaskMonitor



 SystemTray



 LoadPowerProfile

 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\



 LoadPowerProfile



 SchedulingAgent

These changes to the registry render the system to unusable state.

The security vulnerability used by the trojan is known. A fix and further information is available from Microsoft: https://www.microsoft.com/technet/security/bulletin/MS00-075.asp

Submit a Sample

Suspect a file or URL was wrongly detected? Send it to our Labs for further analysis

Submit a Sample

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

More Info