Offensive is a trojan horse that is able to execute directly via a web page or a HTML formatted email message by using a security vulnerability in Internet Explorer.
Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
Check for the latest database updates
First check if your F-Secure security program is using the latest updates, then try scanning the file again.
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note: You need administrative rights to change the settings.
When executed, the trojan creates the following registry keys:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
RestrictRun
NoChangeStartMenu
NoClose
NoDrives
NoDriveTypeAutoRun
NoFavoritesMenu
NoFileMenu
NoFind
NoFolderOptions
NoInternetIcon
NoRecentDocsMenu
NoLogOff
NoRun
NoSetActiveDesktop
NoSetFolders
NoSetTaskbar
NoWindowsUpdate
Nodesktop
NoViewContextMenu
NoNetHooD
NoEntioeNetwork
NoWorkgroupContents
NoSaveSettings
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\
DisableRegistryTools
NoConfigPage
NoDevMgrPage
NoDispAppearancePage
NoDispScrSavPage
NoDispBackgroundPage
NoDispSettingsPage
NoFileSysPage
NoVirtMemPage
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\WinOldApp\
NoRealMode
Disabled
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\
Window Title
Start Page
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\
Window Title
Start Page
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Winlogon\
LegalNoticeCaption
LegalNoticeText
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{C18CB140-0BBB-11D4-8FE8-0088CC102438}\
ButtonText
CLSID
Default Visible
Exec
MenuStatusBar
MenuText
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\
how to **** japanese
HKEY_CLASSES_ROOT\Drive\shell\how to **** japan\
command
HKEY_LOCAL_MACHINE\Software\CLASSES\
.exe
.reg
.htm
.html
.txt
.inf
.dll
.ini
.sys
.com
.bat
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
internat.exe;
ScanRegistry
TaskMonitor
SystemTray
LoadPowerProfile
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\
LoadPowerProfile
SchedulingAgent
These changes to the registry render the system to unusable state.
The security vulnerability used by the trojan is known. A fix and further information is available from Microsoft: https://www.microsoft.com/technet/security/bulletin/MS00-075.asp