A Trojan horse that uses ActiveX is lurking on the Internet. Trojan horse Offensive, so named because it makes offensive references within the Windows registry, could arrive via email as a link to a Web page ending in .html. When opened, the Web page will display a button that says "Start." If pressed, Offensive will severely damage your Windows operating system: no icons will be visible on the desktop, no programs will execute, you will not be able to shut down Windows, and you will not be able to work around these effects in the Safe Mode either. According to Symantec, if you have been affected by Offensive, you should contact a computer professional.
How it works
According to Symantec AntiVirus Research Center (SARC), the following changes are made to the Windows system registry when Offensive is executed:
Key:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\Explorer
Values:
RestrictRun
NoChangeStartMenu
NoClose
NoDrives
NoDriveTypeAutoRun
NoFavoritesMenu
NoFileMenu
NoFind
NoFolderOptions
NoInternetIcon
NoRecentDocsMenu
NoLogOff
NoRun
NoSetActiveDesktop
NoSetFolders
NoSetTaskbar
NoWindowsUpdate
Nodesktop
NoViewContextMenu
NoNetHooD
NoEntioeNetwork
NoWorkgroupContents
NoSaveSettings
Key:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\System
Values:
DisableRegistryTools
NoConfigPage
NoDevMgrPage
NoDispAppearancePage
NoDispScrSavPage
NoDispBackgroundPage
NoDispSettingsPage
NoFileSysPage
NoVirtMemPage
Key:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\WinOldApp
Values:
NoRealMode
Disabled
Keys:
HKEY_CURRENT_USER\Software\Microsoft\
InternetExplorer\Main\Window
Title
HKEY_LOCAL_MACHINE\Software\Microsoft\
Internet
Explorer\Main\Window Title
Values:
Window
Title
Start
Page
Key:
HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Winlogon
Values:
LegalNoticeCaption
LegalNoticeText
Key:
HKEY_LOCAL_MACHINE\Software\Microsoft\
Internet
Explorer\Extensions\
{C18CB140-0BBB-11D4-8FE8-0088CC102438}
Values:
ButtonText
CLSID
DefaultVisible
Exec
MenuStatusBar
MenuText
Key:
HKEY_CURRENT_USER\Software\Microsoft\
Internet
Explorer\MenuExt\how to *
japanese
Key:
HKEY_CLASSES_ROOT\Drive\shell\how
to *
japan
Keys:
HKEY_LOCAL_MACHINE\Software\CLASSES\.exe
HKEY_LOCAL_MACHINE\Software\CLASSES\.reg
HKEY_LOCAL_MACHINE\Software\CLASSES\.htm
HKEY_LOCAL_MACHINE\Software\CLASSES\.html
HKEY_LOCAL_MACHINE\Software\CLASSES\.txt
HKEY_LOCAL_MACHINE\Software\CLASSES\.inf
HKEY_LOCAL_MACHINE\Software\CLASSES\.dll
HKEY_LOCAL_MACHINE\Software\CLASSES\.ini
HKEY_LOCAL_MACHINE\Software\CLASSES\.sys
HKEY_LOCAL_MACHINE\Software\CLASSES\.com
HKEY_LOCAL_MACHINE\Software\CLASSES\.bat
Value:
(default)
is set to
textfile
Key:
HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
Value:
internat.exe
ScanRegistry
TaskMonitor
SystemTray
LoadPowerProfile
Key:
HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\RunServices
Value:
LoadPowerProfile
SchedulingAgent
In order to restore the registry settings changed by Trojan.Offensive, you must edit the registry from a command line at a DOS prompt (which is not advised), restore the registry from a backup, or reload Windows.
Prevention
At this time, only a few antivirus companies have updated their signature files to include Offensive. You can limit your chances of exposure to Offensive by disabling or selectively accepting ActiveX components when visiting untrusted Web sites. For more information on preventing and removing Offensive from your system, see the advisories from McAfee, and Symantec.
