Home / malwarePDF  

Trojan:Win32/StartPage.SH


First posted on 05 January 2012.
Source: Microsoft

Aliases :

Trojan:Win32/StartPage.SH is also known as Dropper.NSIS.E (AVG), TR/Dropper.Gen (Avira), NSIS/TrojanClicker.Agent.BG.Gen (ESET), Trojan.Script.StartPage.ca (Rising AV), Trojan.StartPage (Symantec), TROJ_SPNR.15KL11 (Trend Micro).

Explanation :

Trojan:Win32/Startpage.SH is a trojan that replaces the Windows desktop icon for Internet Explorer with an icon that runs the trojan instead. This trojan also changes Windows system settings.
Top

Trojan:Win32/Startpage.SH is a trojan that replaces the Windows desktop icon for Internet Explorer with an icon that runs the trojan instead. This trojan also changes Windows system settings.

Installation
This trojan may be distributed as an installation file. When run, it creates the following files:

  • %ProgramFiles%\Microsoft\Internat Explorar\desktop.ini
  • %ProgramFiles%\Microsoft\Internat Explorar\target.lnk - shortcut link, used by the trojan to open a potentially unwanted website
  • %ALLUSERSPROFILE%\Desktop\Internat Explorar.oc - when run, launches Internet Explorer to open shortcut link "target.lnk" above
The trojan creates a Windows desktop icon similar to the following, that will start Internet Explorer and visit a potentially unwanted website when double-clicked: The registry is modified so the trojan can execute when double-clicked by a user. In subkey: HKLM\SOFTWARE\Classes\.oc
Sets value: "(default)"
With data: "ocfile"

In subkey: HKLM\SOFTWARE\Classes\ocfile\DefaultIcon
Sets value: "(default)"
With data: "%1"

In subkey: HKLM\SOFTWARE\Classes\ocfile\shell\open\command
Sets value: "(default)"
With data: "explorer "%ProgramFiles%\Microsoft\Internat Explorar""

Payload
Disables Internet Explorer desktop iconThe trojan hides the Windows desktop icon for Internet Explorer by modifying registry data. In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder
Sets value: "Attributes"
With data: "3" (default value is "0") Changes web browser start pageIf the trojan-created desktop icon "Internat Explorar" is double-clicked to launch the "web browser", as intended by a user, Internet Explorer is launched and opens one of the following potentially unwanted websites:
  • tt265.net
  • pp1234.cn


Analysis by Hyun Choi

Last update 05 January 2012

 

TOP

Malware :

Family: