This alert is being released to increase awareness of the vulnerability exploited by this Trojan, and to remind our customers to apply the latest browser and operating system security patches.

The following has been derived from information provided by Network Associates, Symantec and Trend Micro.

Virus Characteristics

This extremely damaging Trojan exploits the "Microsoft VM ActiveX Component Vulnerability", which can allow malicious Java code on HTML pages to use ActiveX components to modify the visitor's system. The vulnerability can be exploited by visiting a malicious web site online, or simply through opening a malicious HTML file.

This threat does not spread or replicate.

When activated, this Trojan modifies the following registry keys and values, replacing the values with offensive text:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Values:
RestrictRun
NoChangeStartMenu
NoClose
NoDrives
NoDriveTypeAutoRun
NoFavoritesMenu
NoFileMenu
NoFind
NoFolderOptions
NoInternetIcon
NoRecentDocsMenu
NoLogOff
NoRun
NoSetActiveDesktop
NoSetFolders
NoSetTaskbar
NoWindowsUpdate
Nodesktop
NoViewContextMenu
NoNetHooD
NoEntioeNetwork
NoWorkgroupContents
NoSaveSettings

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
NoConfigPage
NoDevMgrPage
NoDispAppearancePage
NoDispScrSavPage
NoDispBackgroundPage
NoDispSettingsPage
NoFileSysPage
NoVirtMemPage

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\WinOldApp
NoRealMode
Disabled

HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\Main\Window Title

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Window Title
Window Title
Start Page

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Winlogon
LegalNoticeCaption
LegalNoticeText

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{C18CB140-0BBB-11D4-8FE8-0088CC102438}
ButtonText
CLSID
DefaultVisible
Exec
MenuStatusBar
MenuText

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\how to * japanese

HKEY_CLASSES_ROOT\Drive\shell\how to * japan

HKEY_LOCAL_MACHINE\Software\CLASSES\.exe
(default) is set to textfile
HKEY_LOCAL_MACHINE\Software\CLASSES\.reg
(default) is set to textfile
HKEY_LOCAL_MACHINE\Software\CLASSES\.htm
(default) is set to textfile
HKEY_LOCAL_MACHINE\Software\CLASSES\.html
(default) is set to textfile
HKEY_LOCAL_MACHINE\Software\CLASSES\.txt
(default) is set to textfile
HKEY_LOCAL_MACHINE\Software\CLASSES\.inf
(default) is set to textfile
HKEY_LOCAL_MACHINE\Software\CLASSES\.dll
(default) is set to textfile
HKEY_LOCAL_MACHINE\Software\CLASSES\.ini
(default) is set to textfile
HKEY_LOCAL_MACHINE\Software\CLASSES\.sys
(default) is set to textfile
HKEY_LOCAL_MACHINE\Software\CLASSES\.com
(default) is set to textfile
HKEY_LOCAL_MACHINE\Software\CLASSES\.bat
(default) is set to textfile

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
internat.exe
ScanRegistry
TaskMonitor
SystemTray
LoadPowerProfile

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
LoadPowerProfile
SchedulingAgent


Payload

This is an extremely damaging Trojan. If it is executed, the registry modifications it makes can render a system unusable and cause any of the following symptoms:
- System errors
- Changes to the Internet Explorer start page
- Several Start Menu icons appear as text file icons
- Missing Desktop icons
- All programs fail to run
- Inability to shutdown the system
- Symptoms persist even in Safe Mode

Once a system has been infected, it is strongly recommended that the operating system be reinstalled.


Preventative Measures

Block messages containing scripts in the message body or attachment at the email gateway where possible. Scan Java code at the HTTP Proxy or firewall using Internet gateway anti-virus. Apply the security patch which corrects the "Microsoft VM ActiveX Component Vulnerability". The patch, and additional information can be found at the following URL for "Microsoft Security Bulletin (MS00-075)":

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS00-075.asp


Detection Available

AVP: No information at time of alert
Network Associates: Engine 4.0.70 or later, DAT 4156 (08/29/2001)
Symantec: Definitions dated 08/20/2001 or later
Trend: Pattern 926 or later (08/20/2001)