Trojan.Offensive can seriously damage your PC

A Trojan horse that uses ActiveX is lurking on the Internet. Trojan.Offensive could arrive via e-mail as a link to a Web page ending .html. When opened, the Web page will display a button that says "Start." If pressed, Offensive will severely damage your Windows operating system: no icons will be visible on the desktop, no programs will execute, you will not be able to shut down Windows, and you will not be able to work around these effects in the Safe Mode either. According to Symantec, if you have been affected by Offensive, you should contact a computer professional. Because Offensive is not yet widely reported but may cause serious damage, it currently ranks as a 5 on the ZDNet Virus Meter.

How it works
According to Symantec AntiVirus Research Center (SARC), the following changes are made to the Windows system registry when Offensive is executed:

Key:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\Explorer
Values:
RestrictRun
NoChangeStartMenu
NoClose
NoDrives
NoDriveTypeAutoRun
NoFavoritesMenu
NoFileMenu
NoFind
NoFolderOptions
NoInternetIcon
NoRecentDocsMenu
NoLogOff
NoRun
NoSetActiveDesktop
NoSetFolders
NoSetTaskbar
NoWindowsUpdate
Nodesktop
NoViewContextMenu
NoNetHooD
NoEntioeNetwork
NoWorkgroupContents
NoSaveSettings
Key:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\System
Values:
DisableRegistryTools
NoConfigPage
NoDevMgrPage
NoDispAppearancePage
NoDispScrSavPage
NoDispBackgroundPage
NoDispSettingsPage
NoFileSysPage
NoVirtMemPage
Key:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\WinOldApp

Values:
NoRealMode
Disabled
Keys:
HKEY_CURRENT_USER\Software\Microsoft\
InternetExplorer\Main\Window Title
HKEY_LOCAL_MACHINE\Software\Microsoft\
Internet Explorer\Main\Window Title
Values:
Window Title
Start Page
Key:
HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Winlogon
Values:
LegalNoticeCaption
LegalNoticeText
Key:
HKEY_LOCAL_MACHINE\Software\Microsoft\
Internet Explorer\Extensions\
{C18CB140-0BBB-11D4-8FE8-0088CC102438}

Values:
ButtonText
CLSID
DefaultVisible
Exec
MenuStatusBar
MenuText
Key:
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\MenuExt\how to * japanese
Key:
HKEY_CLASSES_ROOT\Drive\shell\how to * japan
Keys:
HKEY_LOCAL_MACHINE\Software\CLASSES\.exe
HKEY_LOCAL_MACHINE\Software\CLASSES\.reg
HKEY_LOCAL_MACHINE\Software\CLASSES\.htm
HKEY_LOCAL_MACHINE\Software\CLASSES\.html
HKEY_LOCAL_MACHINE\Software\CLASSES\.txt
HKEY_LOCAL_MACHINE\Software\CLASSES\.inf
HKEY_LOCAL_MACHINE\Software\CLASSES\.dll
HKEY_LOCAL_MACHINE\Software\CLASSES\.ini
HKEY_LOCAL_MACHINE\Software\CLASSES\.sys
HKEY_LOCAL_MACHINE\Software\CLASSES\.com
HKEY_LOCAL_MACHINE\Software\CLASSES\.bat
Value:
(default) is set totextfile
Key:
HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
Value:
internat.exe
ScanRegistry
TaskMonitor
SystemTray
LoadPowerProfile
Key:
HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\RunServices
Value:
LoadPowerProfile
SchedulingAgent

In order to restore the registry settings changed by Trojan.Offensive, you must either edit the registry from a command line at a DOS prompt (which is not advised), or restore the registry from a backup, or reload Windows.

Prevention
At this time, only Symantec has updated their signature files to include Offensive. For more information on preventing and removing Offensive from your system, see Symantec's advisory.