Home / malware TrojanDropper:Win32/Startpage.B
First posted on 13 August 2010.
Source: SecurityHomeAliases :
There are no other names known for TrojanDropper:Win32/Startpage.B.
Explanation :
TrojanDropper:Win32/Startpage.B is a generic detection for a group of trojans that install a web browser helper object (BHO) that changes the start page for Internet Explorer.
Top
TrojanDropper:Win32/Startpage.B is a generic detection for a group of trojans that install a web browser helper object that changes the start page for Internet Explorer. InstallationTrojanDropper:Win32/Startpage.B may be installed by other malware or when visiting a malicious webpage. When run, the trojan may drop several files into a newly created randomly named file folder: %ProgramFiles%\<random 7 letters>\install_##.jse - installer script, "##" is a 2 digit number %ProgramFiles%\<random 7 letters>\apple.dll - Trojan:Win32/BHO %ProgramFiles%\<random 7 letters>\<other executables> The dropper then executes all files with ".jse" and ".exe" file extensions. When run, "install_##.jse" installs the dropped BHO component. In one example, the registry was modified as the following: Sets value: "(default)"With data: "tencent browser helper"In subkey: HKLM\SOFTWARE\Classes\CLSID\{0C7C23EF-A848-485B-873C-0ED954731014}
Sets value: "(default)"With data: "%ProgramFiles%\Windows Tasks\tencent\adobe\napstat.dll"In subkey: HKLM\SOFTWARE\Classes\CLSID\{0C7C23EF-A848-485B-873C-0ED954731014}\InprocServer32 In the above example, "napstat.dll" is a copy of the BHO component "apple.dll". Payload Changes Web browser behaviorThe installed BHO component changes the function or default settings of the web browser. Changes can include modifying the start page.
Analysis by Dan KurcLast update 13 August 2010
