Subscribe
On execution, the script disables the task manager by adding the following parameter to the system registry key shown below:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]"DisableTaskMgr " = "dword:00000001"
The Trojan will then pause for 30 seconds, and set the Internet Explorer home page to "http://www.dosugrus.com" with the following launch permissions:
[HKCU\Software\Microsoft\Internet Explorer\Main]"Start Page" = "http://www.dosugrus.com"
[HKLM\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "http://www.dosugrus.com"
[HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel]
"HomePage" = "dword:00000001"
[HKCU\Software\Policies\Microsoft\Internet Explorer\Control Pane]
"HomePage" = "dword:00000001"
The Trojan will then create a file which is an Internet shortcut called
- Delete the file contain the Trojan script (the location will depend on how the program originally penetrated the victim machine).
- Edit the system registry and set the following values:
[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "about:blank"
[HKLM\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "about:blank" - Open the following registry key:
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel
HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel and delete the registry parameterThis Trojan is a VBS script. The file is 1,069 bytes in size.
Payload
Hot Articles