Searching
..

Click anywhere to stop

Trojan.JS.Seeker-based

Class Trojan
Platform JS
Description

Technical Details

The Trojan program modifies the Internet Explorer home page and adds new links to ‘Favorites’ without the knowledge or consent of the user.

The Trojan is written in JavaScript. It locates hypertext documents on web sites and in emails. It only functions if browser support for JavaScript is enabled.

Payload

The Trojan modifies the following system registry keys:

[HKCUSoftwareMicrosoftInternet ExplorerMain]
[HKLMSoftwareMicrosoftInternet ExplorerMain]
 “Start Page”=”

New parameter examples:

http://joblist.***.ru/redir.html
http://zavarka.***/gift.htm
http://sety.***.ru/post.html
http://ok***.ok999.net

The Trojan also creates shortcuts with URLs in the following directories:

%Documents and Settings%All UsersFavorites
%Documents and Settings%All UsersStart Menu
%Documents and Settings%All UsersDesktop

%Documents and Settings%Favorites
%Documents and Settings%Start Menu
%Documents and Settings%Desktop

%WinDir%ProfilesAll UsersFavorites
%WinDir%ProfilesAll UsersStart Menu
%WinDir%ProfilesAll UsersDesktop

Examples of files created by the Trojan:

SuperNavigator.URL (http://joblist.***.ru/redir.htm)
-=Absolutno luchshaya KHALYAVA=-.URL (http://zavarka.***/gift.htm)
Znakomstva-Razvlecheniya-Chat.URL (http://www.zavarka.***)
– Vse dlya dosuga -.URL (http://sety.***.ru/post.html)

(File names are written in Cyrillic)

The Trojan also modifies the following system registry values:

[HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer]
 “NoRun”=BINARY:01
 “NoClose”=BINARY:01
 “NoLogOff”=BINARY:01
 “NoDrives”=DWORD:67108863
 “NoDesktop”=DWORD:00000001
 “NoSaveSettings”=BINARY:00
 “NoViewContextMenu”=BINARY:01
 “NoTrayContextMenu”=BINARY:01
 “RestrictRun”=DWORD:00000001
 “NoSetFolders”=DWORD:01000000
 “NoFind”=DWORD:00000001
 “NoFavoritesMenu”=DWORD:00000001
 “NoRecentDocsMenu”=DWORD:00000001
 “NoSetTaskbar”=DWORD:00000001

[HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem]
 “DisableRegistryTools”=DWORD:00000001
 “NoDevMgrPage”=DWORD:00000001

[HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesWinOldApp]
 “Disabled”=DWORD:00000001
 “NoRealMode”=DWORD:00000001

[HKLMEnumPCI]
 “ChannelOptions”=BINARY:02

[HKCUSoftwarePoliciesMicrosoftInternet ExplorerRestrictions]
 “NoBrowserClose”=DWORD:01

[HKCUControl PanelInternational]
 “stimeformat”=”HH:mm:ss tt”

These modifications may affect the stability of Windows.

Removal instructions

  1. Disable JavaScript in the browser configuration:
  2. Delete files created by the Trojan from the following directories:

    %Documents and Settings%All UsersFavorites
    %Documents and Settings%All UsersStart Menu
    %Documents and Settings%All UsersDesktop

    %Documents and Settings% %Documents and Settings% %Documents and Settings%

    %WinDir%ProfilesAll UsersFavorites
    %WinDir%ProfilesAll UsersStart Menu
    %WinDir%ProfilesAll UsersDesktop

  3. Revert the modified registry keys to their original values
  4. Update your antivirus databases and perfrom a full scan of the computer (download a trial version here).
Find out the statistics of the threats spreading in your region