Home / malwarePDF  

Trojan:Win32/Startpage.VU


First posted on 07 June 2016.
Source: Microsoft

Aliases :

There are no other names known for Trojan:Win32/Startpage.VU.

Explanation :

Installation

This threat copies itself to c:\documents and settings\administrator\application data\arhome\uninstall.exe. The malware creates the following files on your PC:

  • c:\documents and settings\administrator\application data\addonvont.zip
  • c:\documents and settings\administrator\application data\arhome\updater.exe
  • c:\documents and settings\administrator\application data\arhome\updater.zip
  • c:\documents and settings\administrator\application data\volie\adsafe_32.dll
  • c:\documents and settings\administrator\application data\volie\adsafe_64.dll
  • c:\documents and settings\administrator\application data\volie\ie.zip
  • c:\documents and settings\administrator\application data\volie\onload.js
  • c:\documents and settings\administrator\local settings\application data\r.reg
  • c:\documents and settings\administrator\local settings\application data\google\chrome\user data\default\preferences
  • c:\documents and settings\administrator\local settings\application data\google\chrome\user data\default\web data
  • c:\documents and settings\administrator\local settings\application data\google\chrome\user data\default\web data-journal
  • c:\documents and settings\administrator\local settings\application data\microsoft\internet explorer\recovery\active\{89aadb18-50cf-11e3-8377-00db7fa21005}.dat
  • c:\documents and settings\administrator\local settings\application data\microsoft\internet explorer\recovery\active\recoverystore.{82f8a055-50cf-11e3-8377-00db7fa21005}.dat
  • c:\documents and settings\administrator\local settings\temp\~df6e6b.tmp
  • c:\documents and settings\administrator\local settings\temp\~df81df.tmp
The malware registers the file c:\documents and settings\administrator\application data\volie\adsafe_32.dll, using the Windows utility regsvr32.exe with the /s parameter. Regsvr32.exe is used to register or unregister a Component Object Model (COM) dynamic link library (DLL). The /s parameter lets regsvr32.exe run silently without displaying any messages. This action can result in the following registry modifications:

Adds value:"(default)"
With data: "adsafe"
To subkey: hku\Administrator\software\microsoft\windows\currentversion\explorer\browser helper objects\{598ac71e-be58-3981-b78a-5c138f423ad6}
Adds value:"(default)"
With data: "adsafe"
To subkey: hklm\software\microsoft\windows\currentversion\explorer\browser helper objects\{598ac71e-be58-3981-b78a-5c138f423ad6}
Adds value:"(default)"
With data: "adsafe.adsafe"
To subkey: hklm\software\classes\clsid\{598ac71e-be58-3981-b78a-5c138f423ad6}\versionindependentprogid
Adds value:"(default)"
With data: "{3fc2d59a-5c76-1e97-30dc-1ec6784419e5}"
To subkey: hklm\software\classes\clsid\{598ac71e-be58-3981-b78a-5c138f423ad6}\typelib
Adds value:"(default)"
With data: "adsafe.adsafe.1"
To subkey: hklm\software\classes\clsid\{598ac71e-be58-3981-b78a-5c138f423ad6}\progid
Adds value:"(default)"
With data: "c:\documents and settings\administrator\application data\volie\adsafe_32.dll"
To subkey: hklm\software\classes\clsid\{598ac71e-be58-3981-b78a-5c138f423ad6}\inprocserver32
Adds value:"(default)"
With data: "adsafe class"
To subkey: hklm\software\classes\clsid\{598ac71e-be58-3981-b78a-5c138f423ad6}
Adds value:"(default)"
With data: "{598ac71e-be58-3981-b78a-5c138f423ad6}"
To subkey: hklm\software\classes\adsafe.adsafe\clsid
Adds value:"(default)"
With data: "{598ac71e-be58-3981-b78a-5c138f423ad6}"
To subkey: hklm\software\classes\adsafe.adsafe.1\clsid

Payload

Contacts remote host

Trojan:Win32/Startpage.VU might contact a remote host at www.acdcads.com using port 80. Commonly, malware does this to:
  • Report a new infection to its author
  • Receive configuration or other data
  • Download and run files, including updates or other malware
  • Receive instructions from a remote hacker
  • Upload data taken from your PC
This malware description was produced and published using automated analysis of file SHA1 623d8a21acdbe5808b40118a599f79998ce72519.

Last update 07 June 2016

 

TOP

Malware :

Family: