JS.Fortnight.D

Printer Friendly Page

Discovered: October 23, 2003
Updated: October 25, 2003 3:54:28 PM
Systems Affected: Windows

JS.Fortnight.D is a trojan that may arrive as an email signature in HTML based email. It exploits the Microsoft Virtual Machine com.ms.activeX.ActiveXComponent Arbitrary Program Execution Vulnerability (Bugtraq ID 1754) to modify system configuration information.

Discovered: October 23, 2003
Updated: October 25, 2003 3:54:28 PM
Systems Affected: Windows

JS.Fortnight.D is a trojan that may arrive as an email signature in HTML based email. It exploits the Microsoft Virtual Machine com.ms.activeX.ActiveXComponent Arbitrary Program Execution Vulnerability (Bugtraq ID 1754) to modify system configuration information.

When an email with JS.Fortnight.D in the signature is opened, the program drops a file:
%Windir\c<month number, i.e. October=10>.htm

This file added as the Microsoft Outlook Express default signature for outgoing emails. This is accomplished through the trojan making the following registry modifications:

In key:
HKEY_CURRENT_USER\Identities\[Default User ID]\Software\Microsoft\Outlook Express\[Version of Outlook]\signatures

the following value is added:
Default Signature 01000000

In key:
HKEY_CURRENT_USER\Identities\[Default User ID]\Software\Microsoft\Outlook Express\[Version of Outlook]\signatures\010000000

the following values are added:
file %windir\c<month number>.htm
name Default
text ""
type 2

Next, the trojan modifies the following registry keys to send the email recipient to the trojan creators web location:
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl

The trojan then makes the following registry entries to create buttons in the Internet Explorer toolbar:

In registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{0B5F1910-F111-11d2-BB9E-00C04F7956B1}

The values:
ButtonText SEARCH
HotIcon shell32.dll,5
Icon shell32.dll,4
Exec <trojan author specific website>
CLSID {1FBA04EE-3024-11D2-8F1F-0000F97ABD16}
Default Visible Yes

are added to create a SEARCH button.

In registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{0B5F1910-F111-11d2-BB9E-00C04F7956B2}

The values:
ButtonText ANTIVIRUS
HotIcon shell32.dll,12
Icon shell32.dll,13
Exec <trojan author specific website>
CLSID {1FBA04EE-3024-11D2-8F1F-0000F97ABD16}
Default Visible Yes

are added to create an ANTIVIRUS button.

In registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{0B5F1910-F111-11d2-BB9E-00C04F7956B3}

The values:
ButtonText SECURITY
HotIcon shell32.dll,194
Icon shell32.dll,45
Exec <trojan author specific website>
CLSID {1FBA04EE-3024-11D2-8F1F-0000F97ABD16}
Default Visible Yes

are added to create a SECURITY button.

In registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{0B5F1910-F111-11d2-BB9E-00C04F7956B5}

The values:
ButtonText SEARCH
HotIcon shell32.dll,157
Icon shell32.dll,155
Exec <trojan author specific website>
CLSID {1FBA04EE-3024-11D2-8F1F-0000F97ABD16}
Default Visible Yes

are added to create a SEARCH button.

Finally, the trojan modifies registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run with the following value:

Internal regedit.exe /s %windir%\c<month number>