Offensive Trojan

** Virus Alert: Offensive **

"Offensive" Trojan horse can seriously damage your PC. Be careful where you surf! This Web-based ActiveX Trojan horse can render your Windows PC absolutely useless.

A Trojan horse that uses ActiveX is lurking on the Internet. Trojan horse Offensive, so named because it makes offensive references within the Windows registry, could arrive via e-mail as a link to a Web page ending in .html. When opened, the Web page will display a button that says "Start." If pressed, Offensive will severely damage your Windows operating system: no icons will be visible on the desktop, no programs will execute, you will not be able to shut down Windows, and you will not be able to work around these effects in the Safe Mode either. If you have been affected by Offensive, you should contact M & M Programming, Inc. as Windows will have to be reloaded. Because Offensive is not yet widely reported but may cause serious damage, it currently ranks as a 5 on the ZDNet Virus Meter.

Prevention

At this time, only a few antivirus companies have updated their signature files to include Offensive. You can limit your chances of exposure to Offensive by disabling or selectively accepting ActiveX components when visiting untrusted Web sites. For more information on preventing and removing Offensive from your system, see the advisories from McAfee
<http://vil.nai.com/vil/virusSummary.asp?virus_k=99189>, and Symantec <http://www.symantec.com/avcenter/venc/data/pf/trojan.offensive.html>.

How it works

According to Symantec AntiVirus Research Center the following changes are made to the Windows system registry when Offensive is executed:

Key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Values:
RestrictRun
NoChangeStartMenu
NoClose
NoDrives
NoDriveTypeAutoRun
NoFavoritesMenu
NoFileMenu
NoFind
NoFolderOptions
NoInternetIcon
NoRecentDocsMenu
NoLogOff
NoRun
NoSetActiveDesktop
NoSetFolders
NoSetTaskbar
NoWindowsUpdate
Nodesktop
NoViewContextMenu
NoNetHooD
NoEntioeNetwork
NoWorkgroupContents
NoSaveSettings

Key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
Values:
DisableRegistryTools
NoConfigPage
NoDevMgrPage
NoDispAppearancePage
NoDispScrSavPage
NoDispBackgroundPage
NoDispSettingsPage
NoFileSysPage
NoVirtMemPage

Key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\WinOldApp
Values:
NoRealMode
Disabled

Keys:
HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\Main\Window Title
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Window Title
Values:
Window Title
Start Page

Key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Winlogon
Values:
LegalNoticeCaption
LegalNoticeText

Key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{C18CB140-0BBB-11D4-8FE8-0088CC102438}
Values:
ButtonText
CLSID
DefaultVisible
Exec
MenuStatusBar
MenuText

Key:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\how to * japanese
HKEY_CLASSES_ROOT\Drive\shell\how to * japan

Keys:
HKEY_LOCAL_MACHINE\Software\CLASSES\.exe
HKEY_LOCAL_MACHINE\Software\CLASSES\.reg
HKEY_LOCAL_MACHINE\Software\CLASSES\.htm
HKEY_LOCAL_MACHINE\Software\CLASSES\.html
HKEY_LOCAL_MACHINE\Software\CLASSES\.txt
HKEY_LOCAL_MACHINE\Software\CLASSES\.inf
HKEY_LOCAL_MACHINE\Software\CLASSES\.dll
HKEY_LOCAL_MACHINE\Software\CLASSES\.ini
HKEY_LOCAL_MACHINE\Software\CLASSES\.sys
HKEY_LOCAL_MACHINE\Software\CLASSES\.com
HKEY_LOCAL_MACHINE\Software\CLASSES\.bat
Value:
(default) is set to textfile

Key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run Value:
internat.exe
ScanRegistry
TaskMonitor
SystemTray
LoadPowerProfile

Key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
Value:
LoadPowerProfile
SchedulingAgent
<<...OLE_Obj...>>
In order to restore the registry settings changed by Trojan.Offensive, you must edit the registry from a command line at a DOS prompt (which is not advised), restore the registry from a backup, or reload Windows.