Trojan.JS.Seeker

Detect Date 04/06/2006
Class Trojan
Platform JS
Description

Technical Details

This script written in JavaScript language quietly changes a browser’s home page and search page without user confirmation.

The script uses an MS Internet Explorer 5.0 Typelib security vulnerability to create an HTA file in the Windows start-up directory. This file automatically runs upon the next Windows start-up, at which point the script gains control.

The script in the HTA file modifies the system registy keys where the home and search page addresses are specified (before modifying the keys, the script stores their values into BACKUP1.REG and BACKUP2.REG files in the Windows directory). After this, the script deletes the HTA file (and itself).