Copyright © 1999 - 2006, Sandra Hardmeier, All
Rights Reserved Worldwide
Last updated
20/08/2006
Should be detected by most antivirus programmes.
Hides the following Internet Explorer options - "Security" Tab and "Advanced" Tab. To fix, use regedit to navigate to the following registry keys. Delete the words that are in bold below in the right hand pane.
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel\SecurityTab
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel\AdvancedTab
It interferes with the following registry keys:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page (delete
to reset default)
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Bar (delete
to reset default)
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page (delete
to reset default)
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Bar (delete
to reset default)
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\SearchAssistant
(delete to reset default)
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\CustomizeSearch
(delete to reset default)
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\SearchAssistant
(delete to reset default)
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\CustomizeSearch
(delete to reset default)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix
(see
HERE
for correct settings)
HKEY_CURRENT_USER\Identities\[Default User ID]\Software\Microsoft\Outlook Express\5.0\signatures (delete Default Signature DWORD)
HKEY_CURRENT_USER\Identities\[Default User ID]\Software\Microsoft\Outlook
Express\5.0\signatures\00000000 (delete file; name; text; type DWORDS)
It creates the following files (delete them)
%windows%\s.htm
%windows%\hosts
%windows%\system32\drivers\etc\hosts
%favorites%\Nude Nurses.url
%favorites%\Search You Trust.url
%favorites%\Your Favorite Porn Links.url
To prevent future infections using the same trick, update your version of the java vm to at least 3180. Information on how to do that can be found here.