Selected viruses, spyware, and other threats: sorted alphabetically

This Trojan horse is written in JavaScript. After being activated it creates the file sign.htm in the directory C:\Program Files\. This file is attached as a signature to all e-mails being sent out. The worm ensures sending of e-mails by means of modification of the key HKEY_CURRENT_USER\Identities\+defuser+\Software\Microsoft\Outlook Express\5.0\signatures\Default Signature\10101010\ . The value of "+defuser+" is changed depending on the set user identity. This file contains a code which will open the web address http://link.rawtocash.net/cgi-bin/link.cgi?ref=7223. The page is opened upon reading the e-mail (in case you are allowed to use signatures in Outlook Express 5.0 HTML). On this page another JavaScript was located which ensures the computer infection (by modification of registers and by creating file sign.htm).
Furthermore, the Trojan horse tries to set the homepage in Internet Explorer and Netscape Navigator to http://www.rawtocash.net/adv/sex.htm.
It adds the following pages to its favourites:

SEXXX. Totaly Teen
Make BIG Money
6544 Search Engines Submission

In addition it creates a cookie and sets end of its validity on the day two weeks after its creation.

© 1992-2004 Eset s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.