Discovered: January 06, 2004
Updated: January 06, 2004 8:19:08 PM
Systems Affected: Windows

W32.Bizten is a program that modifies Internet Explorer home page and adds URLs to the Internet Explorer Favorites list.

Discovered: January 06, 2004
Updated: January 06, 2004 8:19:08 PM
Systems Affected: Windows

W32.Bizten is a program that modifies Internet Explorer home page and adds URLs to the Internet Explorer Favorites list. When the trojan is installed, it creates the following copy of itself:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogon.exe

Next the trojan will add the following URLs to the Internet Explorer Favourites list:
~Series Hardcore Pic Sets and Movies.url
Young Teen Fucking Great Lo Archives.url
WOW VIDEOS AND PICS -- REALLY HARDCORE VIDEOS.url
Quality Galleries 50 000 freepics and movie.url
FULL COLLECTION DIRTY PORNO.url
Elite Teen Sites - Adult portal The Best TEEN SITES.url
Elite Mature Sites - Adult portal The Best Mature Sites.url
XXX QH PICS ARCHIVE.url


Finally the following registry entries are created to modify Internet Explorer settings. The value <predetermined URL> may be one of the following:
www.find-itnow.com
www.find-itnow.com/panel_search.html
teen-biz.com

KEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Start Page"="<predetermined URL>"
KEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Search Page"="<predetermined URL>"
KEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Search Bar"="<predetermined URL>"
KEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Use Search Asst"="no"

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchURL\"(Default)"="<predetermined URL>"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchURL\"provider"="gogl"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search\"SearchAssistant"="<predetermined URL>"