Seeker

Classification

Malware

Trojan

W32

Seeker

Summary

This trojan uses the same vulnerability that JS/Kak and VBS/BubbleBoy to drop itself to the Windows Startup directory.

Removal

Automatic action

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

Find out more

Knowledge Base

Find the latest advice in our Community Knowledge Base.

User Guide

See the user guide for your product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details

This trojan consists of three different parts: one HTML web page, and two hta files.

The web page is available in an adult site, and it affects Internet Explorer users. Once a user visits that page it immediately drops a file "runme.hta" in the Windows Startup directory and "removeit.hta" in the root of the "C:" drive. Next time when the system is rebooted it executes and changes the Internet Explorer and Netscape Navigator startup page to www.sureseeker.com. It also modifies the Internet Explorer default search pages to that location. These changes are made to the registry, however, the trojan makes backup of these registry settings to two files, "backup1.reg" and "backup2.reg" in the Windows directory.

After that the trojan executes "removeit.hta", that simply deletes "runme.hta" from the Windows Startup directory. On that way the user cannot see the previosly dropped "runme.hta" file.

To protect yourself against the vulnerability that this trojan uses, you can download and install the patch provided by Microsoft:

https://www.microsoft.com/technet/security/bulletin/ms99-032.asp

Date Created: -

Date Last Modified: -