VBS/IEStart.H

description-logoAnalysis


Specifics
This is a VBScript threat designed to change the search page and start page for Internet Explorer. It may have been introduced to the system from a malicious web site as part of a Microsoft cabinet file installation. The .CAB file contains two script files - an installation file named SEARCH.INF and a VBScript file named SEARCH.VBS.

When the .CAB file is installed via a web process, the .INF file and the .VBS file are executed, changing the start and search pages for Internet Explorer to the web address 'www.searchwww.com'. The changes are made in the system registry -

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
"Search Page" = http://www.searchwww.com/
"Start Page" = http://www.searchwww.com/

To maintain these settings, the virus copies itself to the Startup folder -

c:\Documents and Settings\All Users\Start Menu\Programs\Startup\Search.vbs

When Internet Explorer is launched, the user may experience numerous pop up ads.


recommended-action-logoRecommended Action

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option

Telemetry logoTelemetry

Detection Availability

FortiClient
Extreme
FortiMail
Extreme
FortiSandbox
Extreme
FortiWeb
Extreme
Web Application Firewall
Extreme
FortiIsolator
Extreme
FortiDeceptor
Extreme
FortiEDR