Trojan.Offensive can seriously damage your PC

Be careful where you surf! This Web-based ActiveX Trojan horse can render your Windows PC absolutely useless.

A Trojan horse that uses ActiveX is lurking on the Internet. Trojan.Offensive could arrive via e-mail as a link to a Web page ending .html. When opened, the Web page will display a button that says "Start." If pressed, Offensive will severely damage your Windows operating system: no icons will be visible on the desktop, no programs will execute, you will not be able to shut down Windows, and you will not be able to work around these effects in the Safe Mode either. According to Symantec, if you have been affected by Offensive, you should contact a computer professional. Because Offensive is not yet widely reported but may cause serious damage, it currently ranks as a 5 on the ZDNet Virus Meter.

How it works
According to Symantec AntiVirus Research Center (SARC), the following changes are made to the Windows system registry when Offensive is executed:

Key:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\Explorer
Values:
RestrictRun
NoChangeStartMenu
NoClose
NoDrives
NoDriveTypeAutoRun
NoFavoritesMenu
NoFileMenu
NoFind
NoFolderOptions
NoInternetIcon
NoRecentDocsMenu
NoLogOff
NoRun
NoSetActiveDesktop
NoSetFolders
NoSetTaskbar
NoWindowsUpdate
Nodesktop
NoViewContextMenu
NoNetHooD
NoEntioeNetwork
NoWorkgroupContents
NoSaveSettings

Key:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\System
Values:
DisableRegistryTools
NoConfigPage
NoDevMgrPage
NoDispAppearancePage
NoDispScrSavPage
NoDispBackgroundPage
NoDispSettingsPage
NoFileSysPage
NoVirtMemPage

Key:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\WinOldApp

Values:
NoRealMode
Disabled

Keys:
HKEY_CURRENT_USER\Software\Microsoft\
InternetExplorer\Main\Window Title

HKEY_LOCAL_MACHINE\Software\Microsoft\
Internet Explorer\Main\Window Title
Values:
Window Title
Start Page

Key:
HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Winlogon
Values:
LegalNoticeCaption
LegalNoticeText

Key:
HKEY_LOCAL_MACHINE\Software\Microsoft\
Internet Explorer\Extensions\
{C18CB140-0BBB-11D4-8FE8-0088CC102438}

Values:
ButtonText
CLSID
DefaultVisible
Exec
MenuStatusBar
MenuText

Key:
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\MenuExt\how to * japanese

Key:
HKEY_CLASSES_ROOT\Drive\shell\how to * japan

Keys:
HKEY_LOCAL_MACHINE\Software\CLASSES\.exe
HKEY_LOCAL_MACHINE\Software\CLASSES\.reg
HKEY_LOCAL_MACHINE\Software\CLASSES\.htm
HKEY_LOCAL_MACHINE\Software\CLASSES\.html
HKEY_LOCAL_MACHINE\Software\CLASSES\.txt
HKEY_LOCAL_MACHINE\Software\CLASSES\.inf
HKEY_LOCAL_MACHINE\Software\CLASSES\.dll
HKEY_LOCAL_MACHINE\Software\CLASSES\.ini
HKEY_LOCAL_MACHINE\Software\CLASSES\.sys
HKEY_LOCAL_MACHINE\Software\CLASSES\.com
HKEY_LOCAL_MACHINE\Software\CLASSES\.bat
Value:
(default) is set to textfile

Key:
HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
Value:
internat.exe
ScanRegistry
TaskMonitor
SystemTray
LoadPowerProfile

Key:
HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\RunServices
Value:
LoadPowerProfile
SchedulingAgent

In order to restore the registry settings changed by Trojan.Offensive, you must either edit the registry from a command line at a DOS prompt (which is not advised), or restore the registry from a backup, or reload Windows.

Prevention
At this time, only Symantec has updated their signature files to include Offensive. For more information on preventing and removing Offensive from your system, see Symantec's advisory.

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All