Home / malware Trojan:Win32/Startpage.UY
First posted on 14 December 2012.
Source: MicrosoftAliases :
Trojan:Win32/Startpage.UY is also known as TR/Rogue.KD.792844 (Avira), TROJ_STARTPA.AET (Trend Micro), Startpage.RYM (AVG), Trojan.StartPage.49173 (Dr.Web), Trojan.Win32.Startpage (other), Win32/StartPage.OOW (ESET), Win-Trojan/StartPage.140800 (AhnLab).
Explanation :
Trojan:Win32/Startpage.UY is a trojan that modifies the home page and search settings for Internet Explorer, Google Chrome, Mozilla Firefox and Opera.
You may inadvertently download and run the trojan, thinking it was a legitimate program or file.
Installation
When run, the trojan sets the default start page and search engine in Google Chrome, Internet Explorer, Mozilla Firefox and Opera to http://ecostartpage.com.
After it has performed its payload, the trojan drops the following file which deletes its copy:
%TEMP%\suicide.exe
Note: %TEMP% refers to a variable location that is determined by the malware by querying the operating system. The default location for the All Users Profile folder for Windows 2000, XP, and 2003 is "C:\DOCUME~1\<user>\LOCALS~1\Temp". For Windows Vista, 7 and 8, the default location is "C:\Users\<user name>\AppData\Local\Temp".
Payload
Modifies Internet Explorer settings
Trojan:Win32/Startpage.UY sets the start page and default search engine in Internet Explorer by modifying the following registry entries:
In subkey: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Sets value: "Start Page"
With data: "http://ecostartpage.com"
In subkey: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{GUID}
Sets value: "URL"
With data: "http://ecostartpage.com/index.php?q={searchTerms}"
Modifies Google Chrome settings
If you have Google Chrome installed, the trojan sets the start page and default search engine by modifying the default preferences file as follows:
"homepage": "http://ecostartpage.com",
"session": {"restore_on_startup": 4,
"restore_on_startup_migrated": true,
"urls_to_restore_on_startup": [ "http://ecostartpage.com" ]},
The default preferences file is stored in "%APPDATA%\Google\Chrome\User Data\Default\Preferences".
Modifies Mozilla Firefox settings
If you have Mozilla Firefox installed, the trojan creates a default settings folder, as "%APPDATA%\Mozilla\Firefox\Profiles\<eight random characters>.default". It places a preferences file, "prefs.js", into the folder with the following settings:
- user_pref("browser.startup.homepage", "http://ecostartpage.com")
- user_pref("browser.search.selectedEngine", "EcoStartPage")
Note: %APPDATA% refers to a variable location that is determined by the malware by querying the operating system. The default location for the Application Data folder for Windows 2000, XP, and 2003 is "C:\Documents and Settings\<user>\Application Data". For Windows Vista, 7, and 8, the default location is "C:\Users\<user>\AppData\Roaming".
The trojan sets the default search engine by adding the file "EcoStartPage.xml" to the default settings folder, under the "searchplugins" folder.
Modifies Opera settings
If you have Opera installed, the trojn sets the start page by modifying the file "%APPDATA%\Opera\Opera\operaprefs.ini" as follows:
[User Prefs]
Home URL= http://ecostartpage.com
Analysis by Alden Pornasdoro
Last update 14 December 2012
