Beth
New Member
Hi all,
Here's another one to watch out for. Look for updates to protect yourselves, and change your browser setting to NOT aoutomatically allow ActiveX.
Surf Safely!
Beth
==============================================
A Trojan horse that uses ActiveX is lurking on the Internet. Trojan horse Offensive, so named because it makes offensive references within the Windows registry, could arrive via e-mail as a link to a Web page ending in .html. When opened, the Web page will display a button that says "Start." If pressed, Offensive will severely damage your Windows operating system: no icons will be visible on the desktop, no programs will execute, you will not be able to shut down Windows, and you will not be able to work around these effects in the Safe Mode either. According to Symantec, if you have been affected by Offensive, you should contact a computer professional. Because Offensive is not yet widely reported but may cause serious damage, it currently ranks as a 5 on the ZDNet Virus Meter.
How it works
According to Symantec AntiVirus Research Center (SARC), the following changes are made to the Windows system registry when Offensive is executed:
Key:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\Explorer
Values:
RestrictRun
NoChangeStartMenu
NoClose
NoDrives
NoDriveTypeAutoRun
NoFavoritesMenu
NoFileMenu
NoFind
NoFolderOptions
NoInternetIcon
NoRecentDocsMenu
NoLogOff
NoRun
NoSetActiveDesktop
NoSetFolders
NoSetTaskbar
NoWindowsUpdate
Nodesktop
NoViewContextMenu
NoNetHooD
NoEntioeNetwork
NoWorkgroupContents
NoSaveSettings
Key:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\System
Values:
DisableRegistryTools
NoConfigPage
NoDevMgrPage
NoDispAppearancePage
NoDispScrSavPage
NoDispBackgroundPage
NoDispSettingsPage
NoFileSysPage
NoVirtMemPage
Key:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\WinOldApp
Values:
NoRealMode
Disabled
Keys:
HKEY_CURRENT_USER\Software\Microsoft\
InternetExplorer\Main\Window Title
HKEY_LOCAL_MACHINE\Software\Microsoft\
Internet Explorer\Main\Window Title
Values:
Window Title
Start Page
Key:
HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Winlogon
Values:
LegalNoticeCaption
LegalNoticeText
Key:
HKEY_LOCAL_MACHINE\Software\Microsoft\
Internet Explorer\Extensions\
{C18CB140-0BBB-11D4-8FE8-0088CC102438}
Values:
ButtonText
CLSID
DefaultVisible
Exec
MenuStatusBar
MenuText
Key:
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\MenuExt\how to * japanese
Key:
HKEY_CLASSES_ROOT\Drive\shell\how to * japan
Keys:
HKEY_LOCAL_MACHINE\Software\CLASSES\.exe
HKEY_LOCAL_MACHINE\Software\CLASSES\.reg
HKEY_LOCAL_MACHINE\Software\CLASSES\.htm
HKEY_LOCAL_MACHINE\Software\CLASSES\.html
HKEY_LOCAL_MACHINE\Software\CLASSES\.txt
HKEY_LOCAL_MACHINE\Software\CLASSES\.inf
HKEY_LOCAL_MACHINE\Software\CLASSES\.dll
HKEY_LOCAL_MACHINE\Software\CLASSES\.ini
HKEY_LOCAL_MACHINE\Software\CLASSES\.sys
HKEY_LOCAL_MACHINE\Software\CLASSES\.com
HKEY_LOCAL_MACHINE\Software\CLASSES\.bat
Value:
(default) is set to textfile
Key:
HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
Value:
internat.exe
ScanRegistry
TaskMonitor
SystemTray
LoadPowerProfile
Key:
HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\RunServices
Value:
LoadPowerProfile
SchedulingAgent
In order to restore the registry settings changed by Trojan.Offensive, you must edit the registry from a command line at a DOS prompt (which is not advised), restore the registry from a backup, or reload Windows.
Prevention
At this time, only a few antivirus companies have updated their signature files to include Offensive. You can limit your chances of exposure to Offensive by disabling or selectively accepting ActiveX components when visiting untrusted Web sites. For more information on preventing and removing Offensive from your system, see the advisories from McAfee, and Symantec.
=============================
A malicious program that masquerades as a Web page or HTML e-mail has dire consequences for those who fall for its ruse, antivirus experts said this week.
Known as Trojan.Offensive, the program takes advantage of a 10-month-old flaw in Microsoft's version of the Java Virtual Machine to overwrite critical system settings--called the registry--leaving Windows computers unusable. The operating system on the victimized PC must be reinstalled or repaired through an arduous process.
"No data loss actually occurs, but the computer is basically hosed," said Craig Schmugar, a virus researcher for security software maker Network Associates.
In its current incarnation, the Trojan horse arrives in an e-mail message and appears to be an HTML document with a single hyperlinked word: "Start." Recipients of the e-mail who click the link, however, will cause a JavaScript program to run; that program will take advantage of a flaw in Microsoft's Java Virtual Machine--software used to run programs written in Sun Microsystems' Java language--to modify the system's registry.
The flaw affects all versions of Windows running Microsoft's Internet Explorer 3.0 to 5.5sp1.
By changing almost 50 registry values, the malicious program disables all programs, prevents Windows from being shut down, and makes icons on the Windows desktop disappear. Because no programs will run--not even antivirus scanners--the Windows operating system on the PC cannot be automatically repaired.
While truly irksome, the program is not widespread.
Also known as JS/Offensive, the damaging code does not spread on its own like a virus--it must be forwarded manually. Although Network Associates has not seen any cases of the Trojan horse, antivirus company Symantec has had "a handful" of customers in Japan report incidents.
"There could be more reports of it and we just don't know about it, because the victims' computers don't work and so they can't send e-mail," said Motoaki Yamamura, senior development manager for Symantec. "But we don't think it's very widespread, because it's a Trojan, not a virus."
Trojan.Offensive is aptly named.
In addition to making the victim's PC unusable until the system registry is fixed or the operating system is reinstalled, the program spouts a slur against Japanese people when the computer is physically restarted.
"If you have any trouble, please email findlu@21cn.com," states a dialog box that appears upon start-up. "Note: Not for Japanese & dog & pig." 21cn.com is a Chinese-language Web site based in the Guangdong province of China. The administrative contact for the site could not be reached by e-mail.
Because the flaw in Microsoft's Java Virtual Machine is 10 months old and a patch has been available for some time, many computer users will not be vulnerable to the Trojan.
In addition, people have started to trust e-mail a lot less, said Symantec's Yamamura.
"I think a lot of consumers are better about practicing safe computing," he said. Surfers who disable ActiveX in the browser are also safe from the Trojan horse.
Here's another one to watch out for. Look for updates to protect yourselves, and change your browser setting to NOT aoutomatically allow ActiveX.
Surf Safely!
Beth
==============================================
A Trojan horse that uses ActiveX is lurking on the Internet. Trojan horse Offensive, so named because it makes offensive references within the Windows registry, could arrive via e-mail as a link to a Web page ending in .html. When opened, the Web page will display a button that says "Start." If pressed, Offensive will severely damage your Windows operating system: no icons will be visible on the desktop, no programs will execute, you will not be able to shut down Windows, and you will not be able to work around these effects in the Safe Mode either. According to Symantec, if you have been affected by Offensive, you should contact a computer professional. Because Offensive is not yet widely reported but may cause serious damage, it currently ranks as a 5 on the ZDNet Virus Meter.
How it works
According to Symantec AntiVirus Research Center (SARC), the following changes are made to the Windows system registry when Offensive is executed:
Key:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\Explorer
Values:
RestrictRun
NoChangeStartMenu
NoClose
NoDrives
NoDriveTypeAutoRun
NoFavoritesMenu
NoFileMenu
NoFind
NoFolderOptions
NoInternetIcon
NoRecentDocsMenu
NoLogOff
NoRun
NoSetActiveDesktop
NoSetFolders
NoSetTaskbar
NoWindowsUpdate
Nodesktop
NoViewContextMenu
NoNetHooD
NoEntioeNetwork
NoWorkgroupContents
NoSaveSettings
Key:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\System
Values:
DisableRegistryTools
NoConfigPage
NoDevMgrPage
NoDispAppearancePage
NoDispScrSavPage
NoDispBackgroundPage
NoDispSettingsPage
NoFileSysPage
NoVirtMemPage
Key:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\WinOldApp
Values:
NoRealMode
Disabled
Keys:
HKEY_CURRENT_USER\Software\Microsoft\
InternetExplorer\Main\Window Title
HKEY_LOCAL_MACHINE\Software\Microsoft\
Internet Explorer\Main\Window Title
Values:
Window Title
Start Page
Key:
HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Winlogon
Values:
LegalNoticeCaption
LegalNoticeText
Key:
HKEY_LOCAL_MACHINE\Software\Microsoft\
Internet Explorer\Extensions\
{C18CB140-0BBB-11D4-8FE8-0088CC102438}
Values:
ButtonText
CLSID
DefaultVisible
Exec
MenuStatusBar
MenuText
Key:
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\MenuExt\how to * japanese
Key:
HKEY_CLASSES_ROOT\Drive\shell\how to * japan
Keys:
HKEY_LOCAL_MACHINE\Software\CLASSES\.exe
HKEY_LOCAL_MACHINE\Software\CLASSES\.reg
HKEY_LOCAL_MACHINE\Software\CLASSES\.htm
HKEY_LOCAL_MACHINE\Software\CLASSES\.html
HKEY_LOCAL_MACHINE\Software\CLASSES\.txt
HKEY_LOCAL_MACHINE\Software\CLASSES\.inf
HKEY_LOCAL_MACHINE\Software\CLASSES\.dll
HKEY_LOCAL_MACHINE\Software\CLASSES\.ini
HKEY_LOCAL_MACHINE\Software\CLASSES\.sys
HKEY_LOCAL_MACHINE\Software\CLASSES\.com
HKEY_LOCAL_MACHINE\Software\CLASSES\.bat
Value:
(default) is set to textfile
Key:
HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
Value:
internat.exe
ScanRegistry
TaskMonitor
SystemTray
LoadPowerProfile
Key:
HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\RunServices
Value:
LoadPowerProfile
SchedulingAgent
In order to restore the registry settings changed by Trojan.Offensive, you must edit the registry from a command line at a DOS prompt (which is not advised), restore the registry from a backup, or reload Windows.
Prevention
At this time, only a few antivirus companies have updated their signature files to include Offensive. You can limit your chances of exposure to Offensive by disabling or selectively accepting ActiveX components when visiting untrusted Web sites. For more information on preventing and removing Offensive from your system, see the advisories from McAfee, and Symantec.
=============================
A malicious program that masquerades as a Web page or HTML e-mail has dire consequences for those who fall for its ruse, antivirus experts said this week.
Known as Trojan.Offensive, the program takes advantage of a 10-month-old flaw in Microsoft's version of the Java Virtual Machine to overwrite critical system settings--called the registry--leaving Windows computers unusable. The operating system on the victimized PC must be reinstalled or repaired through an arduous process.
"No data loss actually occurs, but the computer is basically hosed," said Craig Schmugar, a virus researcher for security software maker Network Associates.
In its current incarnation, the Trojan horse arrives in an e-mail message and appears to be an HTML document with a single hyperlinked word: "Start." Recipients of the e-mail who click the link, however, will cause a JavaScript program to run; that program will take advantage of a flaw in Microsoft's Java Virtual Machine--software used to run programs written in Sun Microsystems' Java language--to modify the system's registry.
The flaw affects all versions of Windows running Microsoft's Internet Explorer 3.0 to 5.5sp1.
By changing almost 50 registry values, the malicious program disables all programs, prevents Windows from being shut down, and makes icons on the Windows desktop disappear. Because no programs will run--not even antivirus scanners--the Windows operating system on the PC cannot be automatically repaired.
While truly irksome, the program is not widespread.
Also known as JS/Offensive, the damaging code does not spread on its own like a virus--it must be forwarded manually. Although Network Associates has not seen any cases of the Trojan horse, antivirus company Symantec has had "a handful" of customers in Japan report incidents.
"There could be more reports of it and we just don't know about it, because the victims' computers don't work and so they can't send e-mail," said Motoaki Yamamura, senior development manager for Symantec. "But we don't think it's very widespread, because it's a Trojan, not a virus."
Trojan.Offensive is aptly named.
In addition to making the victim's PC unusable until the system registry is fixed or the operating system is reinstalled, the program spouts a slur against Japanese people when the computer is physically restarted.
"If you have any trouble, please email findlu@21cn.com," states a dialog box that appears upon start-up. "Note: Not for Japanese & dog & pig." 21cn.com is a Chinese-language Web site based in the Guangdong province of China. The administrative contact for the site could not be reached by e-mail.
Because the flaw in Microsoft's Java Virtual Machine is 10 months old and a patch has been available for some time, many computer users will not be vulnerable to the Trojan.
In addition, people have started to trust e-mail a lot less, said Symantec's Yamamura.
"I think a lot of consumers are better about practicing safe computing," he said. Surfers who disable ActiveX in the browser are also safe from the Trojan horse.
