AVERT has seen an increase in the number of encoded JS/Seeker samples. This is due to new decoding methods used by the engine. The majority of these samples also exploit a Microsoft virtual machine vulnerability.
This trojan alters the default startup and search pages for your web browser. The Windows Scripting Host must be installed for the trojan to run. It is believed that a script generating program may be involved in the creation of this trojan, which allows the author to specify different parameters. As there are many variants of this threat, your personal experiences may vary from those mentioned here. The trojan may arrive as a file named "runme.hta". Opening this file makes several registry changes to your system, such as:
HKCU\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
HKCU\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
HKCU\Software\Netscape\Netscape Navigator\Main\Home Page
Original registry values are saved to the files "HOMEREG111.REG", "BACKUP1.REG", and "BACKUP2.REG" in the WINDOWS directory.
Symptoms
- Altered startup and search pages when launching web browser
- Presence of "runme.hta", "removeit.hta", or "homereg111.reg"
Method Of Infection
Upon execution, new registry values are written to a file named "homereg111.reg"; existing registry values are saved to "backup1.reg", and "backup2.reg". "homereg111.reg" is then imported in to the registry. Finally "removeit.hta" is ran which attempts to delete the file, "C:\WINDOWS\START MENU\PROGRAMS\STARTUP\runme.hta".
Removal Instructions
Use specified engine and DAT files for detection and removal.
- Delete detected files
- Restore desired Internet Explorer Start and Search pages
- Install the Microsoft virtual machine vulnerability patch.
Variants
Name Type Sub Type Differences
Top of Page
Aliases
Name
js.seeker
JS_SEEKER.A
JS_SEEKER.B