Home / malware Trojan:Win32/Startpage.SM
First posted on 18 January 2012.
Source: MicrosoftAliases :
Trojan:Win32/Startpage.SM is also known as Startpage.QEC (AVG), Trojan.StartPage.40824 (Dr.Web), Win32/TrojanDownloader.Agent.RAL (ESET).
Explanation :
Trojan:Win32/Startpage.SM is a trojan that may modify the default Internet Explorer home page on an affected computer.
Top
Trojan:Win32/Startpage.SM is a trojan that may modify the default Internet Explorer home page on an affected computer.
Installation
Trojan:Win32/Startpage.SM may be installed by other malware. It may be present as an executable file that varies among samples of the trojan.
Payload
Modifies system settings
The trojan attempts to download a configuration file from a predefined remote server, as in the following examples:
- cooksh<removed>l.com/download/cd/config.rar
- cookfr<removed>dom.com/download/cd/config.rar
- vote17<removed>com/download/cd/config.rar
- cook16<removed>com/download/cd/config.rar
- down.c<removed>kshell.com/download/cd/config.rar
- down.c<removed>kfreedom.com/download/cd/config.rar
- down.v<removed>e178.com/download/cd/config.rar
- down.c<removed>k163.com/download/cd/config.rar
At the time of writing, these websites were no longer available. Trojan:Win32/Startpage.SM attempts to save the requested configuration file as %TEMP%\config.ini. The configuration file is used by the trojan to modify Internet Explorer settings, such as to modify the "Start Page" of Internet Explorer, by modifying registry data within the following subkey:
HKLM\SOFTWARE\Microsoft\Internet Explorer\MAIN
Trojan:Win32/Startpage.SM also uses the configuration file to access various other webpages in order to increase site counter values.
Analysis by Hong Jia
Last update 18 January 2012
