Parent class: TrojWare
Trojans are malicious programs that perform actions which are not authorized by the user: they delete, block, modify or copy data, and they disrupt the performance of computers or computer networks. Unlike viruses and worms, the threats that fall into this category are unable to make copies of themselves or self-replicate. Trojans are classified according to the type of action they perform on an infected computer.Class: Trojan
A malicious program designed to electronically spy on the user’s activities (intercept keyboard input, take screenshots, capture a list of active applications, etc.). The collected information is sent to the cybercriminal by various means, including email, FTP, and HTTP (by sending data in a request).Read more
Platform: JS
JavaScript (JS) is a prototype-based programming language. JavaScript has traditionally been implemented as an interpreted language. The most common use is in web browsers, where it is used for scripting to add interactivity to web pages.Description
Technical Details
The Trojan program modifies the Internet Explorer home page and adds new links to 'Favorites' without the knowledge or consent of the user.
The Trojan is written in JavaScript. It locates hypertext documents on web sites and in emails. It only functions if browser support for JavaScript is enabled.
Payload
The Trojan modifies the following system registry keys:
[HKLMSoftwareMicrosoftInternet ExplorerMain]
"Start Page"="
New parameter examples:
http://zavarka.***/gift.htm
http://sety.***.ru/post.html
http://ok***.ok999.net
The Trojan also creates shortcuts with URLs in the following directories:
%Documents and Settings%All UsersFavorites
%Documents and Settings%All UsersStart Menu
%Documents and Settings%All UsersDesktop
%Documents and Settings%
%Documents and Settings%
%Documents and Settings%
%WinDir%ProfilesAll UsersFavorites
%WinDir%ProfilesAll UsersStart Menu
%WinDir%ProfilesAll UsersDesktop
Examples of files created by the Trojan:
-=Absolutno luchshaya KHALYAVA=-.URL (http://zavarka.***/gift.htm)
Znakomstva-Razvlecheniya-Chat.URL (http://www.zavarka.***)
- Vse dlya dosuga -.URL (http://sety.***.ru/post.html)
(File names are written in Cyrillic)
The Trojan also modifies the following system registry values:
[HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer]
"NoRun"=BINARY:01
"NoClose"=BINARY:01
"NoLogOff"=BINARY:01
"NoDrives"=DWORD:67108863
"NoDesktop"=DWORD:00000001
"NoSaveSettings"=BINARY:00
"NoViewContextMenu"=BINARY:01
"NoTrayContextMenu"=BINARY:01
"RestrictRun"=DWORD:00000001
"NoSetFolders"=DWORD:01000000
"NoFind"=DWORD:00000001
"NoFavoritesMenu"=DWORD:00000001
"NoRecentDocsMenu"=DWORD:00000001
"NoSetTaskbar"=DWORD:00000001
[HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem]
"DisableRegistryTools"=DWORD:00000001
"NoDevMgrPage"=DWORD:00000001
[HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesWinOldApp]
"Disabled"=DWORD:00000001
"NoRealMode"=DWORD:00000001
[HKLMEnumPCI]
"ChannelOptions"=BINARY:02
[HKCUSoftwarePoliciesMicrosoftInternet ExplorerRestrictions]
"NoBrowserClose"=DWORD:01
[HKCUControl PanelInternational]
"stimeformat"="HH:mm:ss tt"
These modifications may affect the stability of Windows.
Removal instructions
- Disable JavaScript in the browser configuration:
- Delete files created by the Trojan from the following directories:
%Documents and Settings%All UsersFavorites
%Documents and Settings%All UsersStart Menu
%Documents and Settings%All UsersDesktop
%Documents and Settings%
%WinDir%ProfilesAll UsersFavorites
%WinDir%ProfilesAll UsersStart Menu
%WinDir%ProfilesAll UsersDesktop
- Revert the modified registry keys to their original values
- Update your antivirus databases and perfrom a full scan of the computer (download a trial version here).
Read more
Find out the statistics of the vulnerabilities spreading in your region on statistics.securelist.com