Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

JS/Seeker.A

This Trojan horse is written in the language JavaScript. It makes use of the error Scriptlet.typelib which enables a web page alter files on a computer without the user’s awareness. The error description is on the address http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/fq99-032.asp. For securing the computer it is necessary to install the correction which is located on the address http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms99-032.asp.
JS/Seeker consists of three parts. The first is located on an Internet page; the two other are in files runme.hta and removeit.hta. For its functioning it needs Windows Scripting Host, which is a standard part of the Windows 98 installation.
The code located on the page created a file with the filename runme.hta in the directory C:\windows\Start Menu\Programs\StartUp. The file is automatically run on the system restart. For its functioning it needs Windows Scripting Host, which is a standard part of the Windows 98 installation.
Upon being run JS/Seeker creates in the directory C:\WINDOWS files backup1.reg and backup2.reg. By means of the program regedit.exe it will create the backups of the following system registry keys in them:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Bar
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Search_URL

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page

In the directory C:\WINDOWS it creates file homereg111.reg. This file sets all the abovementioned keys so that they point to the page with the address http://www.sureseeker.com/search.htm. This causes alternation in the setting of pages which Internet Explorer uses for searching.
Finally the JS/Seeker executes the file removeit.hta which deletes the file runme.hta. By doing so it conceals the way in which the abovementioned alteration of system registry was implemented.
Into the directory C:\Windows\Favorites\ containing favourite web pages it adds the file Free Daily Photos.url. This file points at the page www.freehotpics.com/freedailyphotos. In the same way, with help of files Search The Web.url, Sports.url, Travel.url, Finance.url, Gambling.url, Shopping.url it sets these favourite items to the address www.sureseeker.com/newsearch.pl?search=.... Where instead of dots the relevant key word is written.
This Trojan horse exists in many other variants which have similar ways of performing their activities an present themselves in similar ways.

© 1992-2004 Eset s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.