Trojan JSSEEKER qqn connait?

Trojan JSSEEKER qqn connait? - Windows & Software

Marsh Posté le 07-02-2002 à 14:05:43    

j'en ai déjà parlé un peu hier...
est-ce qqn a des infos sur ce virus?


---------------
Mieux vaut vivre avec des remords qu'avec des regrets :jap:
Reply

Marsh Posté le 07-02-2002 à 14:05:43   

Reply

Marsh Posté le 07-02-2002 à 14:07:48    

http://www.symantec.com/avcenter/v [...] eeker.html
 
 
When JS.Seeker is executed, it makes changes to the following registry keys:
 
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page  
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Bar  
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Page_URL  
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Search_URL  
HKEY_CURRENT_USER\Software\Netscape\Netscape Navigator\Main\Home Page
 
The original registry values are saved in the \Windows folder as Backup1.reg and Backup2.reg .  
 
The Trojan horse creates the file Homereg111.reg in the \Windows folder and sets the previously mentioned registry keys to its own values. It then runs Removeit.hta, which deletes the file Runme.hta from the C:\Windows\Start Menu\Programs\Startup folder.
 
JS.Seeker also creates the Prefs.js file in the \Windows folder. This is a JavaScript file that changes Netscape Preferences to its own.


---------------
Resolution of Censure
Reply

Marsh Posté le 07-02-2002 à 14:08:42    

AVERT has seen an increase in the number of encoded JS/Seeker samples. This is due to new decoding methods used by the engine. The majority of these samples also exploit a Microsoft virtual machine vulnerability.  
This trojan alters the default startup and search pages for your web browser. The Windows Scripting Host must be installed for the trojan to run. It is believed that a script generating program may be involved in the creation of this trojan, which allows the author to specify different parameters. As there are many variants of this threat, your personal experiences may vary from those mentioned here. The trojan may arrive as a file named "runme.hta". Opening this file makes several registry changes to your system, such as:  
 
HKCU\Software\Microsoft\Internet Explorer\Main\Default_Page_URL  
HKCU\Software\Microsoft\Internet Explorer\Main\Default_Search_URL  
HKCU\Software\Netscape\Netscape Navigator\Main\Home Page  
Original registry values are saved to the files "HOMEREG111.REG", "BACKUP1.REG", and "BACKUP2.REG" in the WINDOWS directory.
 
 
Symptoms  
- Altered startup and search pages when launching web browser  
- Presence of "runme.hta", "removeit.hta", or "homereg111.reg"  
 
 
Method Of Infection  
Upon execution, new registry values are written to a file named "homereg111.reg"; existing registry values are saved to "backup1.reg", and "backup2.reg". "homereg111.reg" is then imported in to the registry. Finally "removeit.hta" is ran which attempts to delete the file, "C:\WINDOWS\START MENU\PROGRAMS\STARTUP\runme.hta".  
 
 
Removal Instructions  
Use specified engine and DAT files for detection and removal.
- Delete detected files  
- Restore desired Internet Explorer Start and Search pages  
- Install the Microsoft virtual machine vulnerability patch.  
 
 
Variants  
Name  Type  Sub Type  Differences  
 
 
Top of Page  
 
Aliases  
Name  
js.seeker  
JS_SEEKER.A  
JS_SEEKER.B

Reply

Sujets relatifs:

Leave a Replay

Make sure you enter the(*)required information where indicate.HTML code is not allowed