 |
||
| ||
| |||||
| Dernière réponse | |
|---|---|
| Sujet : Trojan JSSEEKER qqn connait? | |
| Krapaud | AVERT has seen an increase in the number of encoded JS/Seeker samples. This is due to new decoding methods used by the engine. The majority of these samples also exploit a Microsoft virtual machine vulnerability. This trojan alters the default startup and search pages for your web browser. The Windows Scripting Host must be installed for the trojan to run. It is believed that a script generating program may be involved in the creation of this trojan, which allows the author to specify different parameters. As there are many variants of this threat, your personal experiences may vary from those mentioned here. The trojan may arrive as a file named "runme.hta". Opening this file makes several registry changes to your system, such as: HKCU\Software\Microsoft\Internet Explorer\Main\Default_Page_URL HKCU\Software\Microsoft\Internet Explorer\Main\Default_Search_URL HKCU\Software\Netscape\Netscape Navigator\Main\Home Page Original registry values are saved to the files "HOMEREG111.REG", "BACKUP1.REG", and "BACKUP2.REG" in the WINDOWS directory. Symptoms - Altered startup and search pages when launching web browser - Presence of "runme.hta", "removeit.hta", or "homereg111.reg" Method Of Infection Upon execution, new registry values are written to a file named "homereg111.reg"; existing registry values are saved to "backup1.reg", and "backup2.reg". "homereg111.reg" is then imported in to the registry. Finally "removeit.hta" is ran which attempts to delete the file, "C:\WINDOWS\START MENU\PROGRAMS\STARTUP\runme.hta". Removal Instructions Use specified engine and DAT files for detection and removal. - Delete detected files - Restore desired Internet Explorer Start and Search pages - Install the Microsoft virtual machine vulnerability patch. Variants Name Type Sub Type Differences Top of Page Aliases Name js.seeker JS_SEEKER.A JS_SEEKER.B |
| Vue Rapide de la discussion |
|---|
