Threat Description



Aliases: Offensive, Trojan.JS.Offensive
Category: Malware
Platform: W32


Offensive is a trojan horse that is able to execute directly via a web page or a HTML formatted email message by using a security vulnerability in Internet Explorer.


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.


Detailed instructions for F-Secure security products are available in the documentation found in the Downloads section of our Home - Global site.

You may also refer to the Knowledge Base on the F-Secure Community site for further assistance.

Technical Details

When executed, the trojan creates the following registry keys:

  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\         RestrictRun         NoChangeStartMenu         NoClose         NoDrives         NoDriveTypeAutoRun         NoFavoritesMenu         NoFileMenu         NoFind         NoFolderOptions         NoInternetIcon         NoRecentDocsMenu         NoLogOff         NoRun         NoSetActiveDesktop         NoSetFolders         NoSetTaskbar         NoWindowsUpdate         Nodesktop         NoViewContextMenu         NoNetHooD         NoEntioeNetwork         NoWorkgroupContents         NoSaveSettings     HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\         DisableRegistryTools         NoConfigPage         NoDevMgrPage         NoDispAppearancePage         NoDispScrSavPage         NoDispBackgroundPage         NoDispSettingsPage         NoFileSysPage         NoVirtMemPage     HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\WinOldApp\         NoRealMode         Disabled     HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\         Window Title         Start Page     HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\         Window Title         Start Page     HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Winlogon\         LegalNoticeCaption         LegalNoticeText     HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{C18CB140-0BBB-11D4-8FE8-0088CC102438}\         ButtonText         CLSID         Default Visible         Exec         MenuStatusBar         MenuText     HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\         how to **** japanese     HKEY_CLASSES_ROOT\Drive\shell\how to **** japan\         command     HKEY_LOCAL_MACHINE\Software\CLASSES\         .exe         .reg         .htm         .html         .txt         .inf         .dll         .ini         .sys         .com         .bat     HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\         internat.exe;         ScanRegistry         TaskMonitor         SystemTray         LoadPowerProfile     HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\         LoadPowerProfile         SchedulingAgent  

These changes to the registry render the system to unusable state.

The security vulnerability used by the trojan is known. A fix and further information is available from Microsoft:

Technical Details:Sami Rautiainen, F-Secure Corporation; August 2001


Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More