McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• js.seeker

• JS/Seeker.gen.a

• JS/Seeker.gen.b

• JS/Seeker.gen.c

• JS/Seeker.gen.d

• JS/Seeker.gen.e

• JS/Seeker.gen.f

• JS/Seeker.gen.g

• JS/Seeker.gen.h

• JS/Seeker.gen.k

• JS/Seeker.gen.l

• JS/Seeker.gen.m

• JS/Seeker.gen.n

• JS/Seeker.i

• JS/Seeker.j

• JS/Seeker.p

• JS/Seeker.q

• JS/Seeker.r

• JS/Seeker.s

• JS/Seeker.t

• JS/Seeker.u

• JS_SEEKER.A

• JS_SEEKER.B

• VBS/Seeker

Characteristics

-- Update October, 5, 2001 --
AVERT has seen an increase in the number of encoded JS/Seeker samples since the release of the 4.1.50 scan engine. This is due to new decoding methods used by the engine. The majority of these samples also exploit a Microsoft virtual machine vulnerability.

This trojan alters the default startup and search pages for your web browser. The Windows Scripting Host must be installed for the trojan to run. It is believed that a script generating program may be involved in the creation of this trojan, which allows the author to specify different parameters. As there are many variants of this threat, your personal experiences may vary from those mentioned here. The trojan may arrive as a file named "runme.hta". Opening this file makes several registry changes to your system, such as:

HKCU\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
HKCU\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
HKCU\Software\Netscape\Netscape Navigator\Main\Home Page

Original registry values are saved to the files "HOMEREG111.REG", "BACKUP1.REG", and "BACKUP2.REG" in the WINDOWS directory.

Users may also see a slightly different version of this virus, which is detected as Reg/Seeker. The only difference is that Reg/Seeker resides in a *.reg file rather than a Java script.

Symptoms

- Altered startup and search pages when launching web browser
- Presence of "runme.hta", "removeit.hta", or "homereg111.reg"

Method of Infection

Upon execution, new registry values are written to a file named "homereg111.reg"; existing registry values are saved to "backup1.reg", and "backup2.reg". "homereg111.reg" is then imported in to the registry. Finally "removeit.hta" is ran which attempts to delete the file, "C:\WINDOWS\START MENU\PROGRAMS\STARTUP\runme.hta".

Removal

Use specified engine and DAT files for detection and removal.

- Delete detected files
- Restore desired Internet Explorer Start and Search pages
- Install the Microsoft virtual machine vulnerability patch.

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• js.seeker

• JS/Seeker.gen.a

• JS/Seeker.gen.b

• JS/Seeker.gen.c

• JS/Seeker.gen.d

• JS/Seeker.gen.e

• JS/Seeker.gen.f

• JS/Seeker.gen.g

• JS/Seeker.gen.h

• JS/Seeker.gen.k

• JS/Seeker.gen.l

• JS/Seeker.gen.m

• JS/Seeker.gen.n

• JS/Seeker.i

• JS/Seeker.j

• JS/Seeker.p

• JS/Seeker.q

• JS/Seeker.r

• JS/Seeker.s

• JS/Seeker.t

• JS/Seeker.u

• JS_SEEKER.A

• JS_SEEKER.B

• VBS/Seeker

Characteristics

Characteristics -

-- Update October, 5, 2001 --
AVERT has seen an increase in the number of encoded JS/Seeker samples since the release of the 4.1.50 scan engine. This is due to new decoding methods used by the engine. The majority of these samples also exploit a Microsoft virtual machine vulnerability.

This trojan alters the default startup and search pages for your web browser. The Windows Scripting Host must be installed for the trojan to run. It is believed that a script generating program may be involved in the creation of this trojan, which allows the author to specify different parameters. As there are many variants of this threat, your personal experiences may vary from those mentioned here. The trojan may arrive as a file named "runme.hta". Opening this file makes several registry changes to your system, such as:

HKCU\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
HKCU\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
HKCU\Software\Netscape\Netscape Navigator\Main\Home Page

Original registry values are saved to the files "HOMEREG111.REG", "BACKUP1.REG", and "BACKUP2.REG" in the WINDOWS directory.

Users may also see a slightly different version of this virus, which is detected as Reg/Seeker. The only difference is that Reg/Seeker resides in a *.reg file rather than a Java script.

Symptoms

Symptoms -

- Altered startup and search pages when launching web browser
- Presence of "runme.hta", "removeit.hta", or "homereg111.reg"

Method of Infection

Method of Infection -

Upon execution, new registry values are written to a file named "homereg111.reg"; existing registry values are saved to "backup1.reg", and "backup2.reg". "homereg111.reg" is then imported in to the registry. Finally "removeit.hta" is ran which attempts to delete the file, "C:\WINDOWS\START MENU\PROGRAMS\STARTUP\runme.hta".

Removal -

Removal -

Use specified engine and DAT files for detection and removal.

- Delete detected files
- Restore desired Internet Explorer Start and Search pages
- Install the Microsoft virtual machine vulnerability patch.

Variants

Variants -

N/A