VBS/IEStart.H
Analysis
Specifics
This is a VBScript threat designed to change the search
page and start page for Internet Explorer. It may have
been introduced to the system from a malicious web site
as part of a Microsoft cabinet file installation. The
.CAB file contains two script files - an installation
file named SEARCH.INF and a VBScript file named SEARCH.VBS.
When the .CAB file is installed via a web process, the .INF file and the .VBS file are executed, changing the start and search pages for Internet Explorer to the web address 'www.searchwww.com'. The changes are made in the system registry -
HKEY_CURRENT_USER\Software\Microsoft\Internet
Explorer\Main
"Search Page" = http://www.searchwww.com/
"Start Page" = http://www.searchwww.com/
To maintain these settings, the virus copies itself to the Startup folder -
c:\Documents and Settings\All Users\Start Menu\Programs\Startup\Search.vbs
When Internet Explorer is launched, the user may experience numerous pop up ads.
Recommended Action
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |