Copyright 1999 - 2006, Sandra Hardmeier, All Rights Reserved Worldwide
Last updated 20/08/2006

Should be detected by most antivirus programmes.

 

Hides the following Internet Explorer options - "Security" Tab and "Advanced" Tab.  To fix, use regedit to navigate to the following registry keys. Delete the words that are in bold below in the right hand pane.

 

HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel\SecurityTab
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel\AdvancedTab
 

It interferes with the following registry keys:

 

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page (delete to reset default)
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Bar (delete to reset default)
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page (delete to reset default)
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Bar (delete to reset default)
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\SearchAssistant (delete to reset default)
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\CustomizeSearch (delete to reset default)
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\SearchAssistant (delete to reset default)
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\CustomizeSearch (delete to reset default)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix (see HERE for correct settings)

 

HKEY_CURRENT_USER\Identities\[Default User ID]\Software\Microsoft\Outlook Express\5.0\signatures (delete Default Signature DWORD)

 

HKEY_CURRENT_USER\Identities\[Default User ID]\Software\Microsoft\Outlook Express\5.0\signatures\00000000 (delete file; name; text; type DWORDS)
 

It creates the following files (delete them)

 

%windows%\s.htm
%windows%\hosts
%windows%\system32\drivers\etc\hosts
%favorites%\Nude Nurses.url
%favorites%\Search You Trust.url
%favorites%\Your Favorite Porn Links.url

 

To prevent future infections using the same trick, update your version of the java vm to at least 3180. Information on how to do that can be found here.