STARTPAGE


 ALIASES:

StartPa

 PLATFORM:

Windows

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

Infection Channel:

Downloaded from the Internet


STARTPAGE is a family of Trojans designed to modify the affected system's Internet browser's default start page. STARTPAGE redirects the browser to malicious websites. It can also modify the browser settings and default search features. The redirection usually leads to advertisement sites or to fake/rogue antivirus sites.

  TECHNICAL DETAILS

Memory Resident:

Yes

Payload:

Modifies HOSTS file

Installation

This Trojan drops the following files:

  • %Program Files%\Thunder\Wrper.syc
  • %System Root%\Documents and Settings\All Users\Desktop\Internet Explorer.lnk
  • %Windows%\Web\oslogo.bmp
  • %Windows%\Web\tips.ini
  • %Windows%\Web\win.def
  • %Windows%\default.css
  • %Windows%\hh.htt

(Note: %Program Files% is the Program Files folder, where it usually is C:\Program Files on all Windows operating system versions; C:\Program Files (x86) for 32-bit applications running on Windows 64-bit operating systems.. %System Root% is the Windows root folder, where it usually is C:\ on all Windows operating system versions.. %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.)

It creates the following folders:

  • %Program Files%\Thunder

(Note: %Program Files% is the Program Files folder, where it usually is C:\Program Files on all Windows operating system versions; C:\Program Files (x86) for 32-bit applications running on Windows 64-bit operating systems.)

Other System Modifications

This Trojan adds the following registry keys:

HKEY_CLASSES_ROOT\lnkfile\shell

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Search

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Styles

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
ZoneMap\Domains\msn.com

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
lnkfile\shell

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
ZoneMap\Domains\{BLOCKED}search.com

It adds the following registry entries as part of its installation routine:

HKEY_CLASSES_ROOT\lnkfile\shell\
open\command
{default} = ""%System%\WScript.exe" "%Program Files%\Thunder\Wrper.syc" "%1" %*"

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer
Search = "http://acc.{BLOCKED}all.com/--/?pgdoc"

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer
Search = "http://in.{BLOCKED}nter.cc/--/?khsnt"

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer
Search = "http://www.{BLOCKED}search.com/z/b/x1.cgi?344012"

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer
SearchURL = "http://www.{BLOCKED}search.com/z/b/x1.cgi?344012"

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer
Search = "http://www.{BLOCKED}search.com/z/b/x1.cgi?656387"

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer
SearchURL = "http://acc.{BLOCKED}all.com/--/?pgdoc"

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer
SearchURL = "http://in.{BLOCKED}nter.cc/--/?khsnt"

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer
SearchURL = "http://www.{BLOCKED}search.com/z/b/x1.cgi?656387"

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
Default_Page_URL = "http://acc.{BLOCKED}all.com/-/?pgdoc"

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
Default_Page_URL = "http://in.{BLOCKED}nter.cc/-/?khsn"

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
Default_Page_URL = "http://www.{BLOCKED}search.com/z/a/x1.cgi?344012"

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
Default_Page_URL = "http://www.{BLOCKED}search.com/z/a/x1.cgi?656387"

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
Default_Search_URL = "http://acc.{BLOCKED}all.com/--/?pgdoc"

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
Default_Search_URL = "http://in.{BLOCKED}nter.cc/--/?khsnt"

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
Default_Search_URL = "http://www.{BLOCKED}search.com/z/b/x1.cgi?344012"

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
Default_Search_URL = "http://www.{BLOCKED}search.com/z/b/x1.cgi?656387"

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
HOMEOldSP = "http://www.{BLOCKED}search.com/z/a/x1.cgi?344012"

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
HOMEOldSP = "http://www.{BLOCKED}search.com/z/a/x1.cgi?656387"

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
Search Bar = "http://acc.{BLOCKED}all.com/---/?pgdoc"

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
Search Bar = "http://in.{BLOCKED}nter.cc/---/?khsnt"

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
Search Bar = "http://www.{BLOCKED}search.com/z/c/x1.cgi?344012"

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
Search Bar = "http://www.{BLOCKED}search.com/z/c/x1.cgi?656387"

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
Use Search Assistant = "yes"

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Search
CustomizeSearch = "http://acc.{BLOCKED}all.com/--/?pgdoc"

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Search
CustomizeSearch = "http://in.{BLOCKED}nter.cc/--/?khsnt"

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Search
CustomizeSearch = "http://www.{BLOCKED}search.com/z/b/x1.cgi?344012"

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Search
CustomizeSearch = "http://www.{BLOCKED}search.com/z/b/x1.cgi?656387"

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Search
SearchAssistant = "http://acc.{BLOCKED}all.com/---/?pgdoc"

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Search
SearchAssistant = "http://in.{BLOCKED}nter.cc/---/?khsnt"

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Search
SearchAssistant = "http://www.{BLOCKED}search.com/z/b/x1.cgi?344012"

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Search
SearchAssistant = "http://www.{BLOCKED}search.com/z/b/x1.cgi?656387"

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Styles
Use My Stylesheet = "1"

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Styles
User Stylesheet = "%Windows%\Web\oslogo.bmp"

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Styles
User Stylesheet = "%Windows%\Web\tips.ini"

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Styles
User Stylesheet = "%Windows%\Web\win.def"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
lnkfile\shell\open\
command
{default} = ""%System%\WScript.exe" "%Program Files%\Thunder\Wrper.syc" "%1" %*"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer
Search = "http://acc.{BLOCKED}all.com/--/?pgdoc"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer
Search = "http://in.{BLOCKED}nter.cc/--/?khsnt"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer
Search = "http://www.{BLOCKED}search.com/z/b/x1.cgi?344012"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer
Search = "http://www.{BLOCKED}search.com/z/b/x1.cgi?656387"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer\Main
Use Search Assistant = "yes"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer\Styles
Use My Stylesheet = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer\Styles
User Stylesheet = "%Windows%\Web\oslogo.bmp"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer\Styles
User Stylesheet = "%Windows%\default.css"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer\Styles
User Stylesheet = "%Windows%\hh.htt"

It modifies the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
Start Page = "http://www.{BLOCKED}search.com/z/a/x1.cgi?656387 about:blank "

(Note: The default value data of the said registry entry is {default}.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer\Main
Default_Search_URL = "http://acc.{BLOCKED}all.com/--/?pgdoc"

(Note: The default value data of the said registry entry is {default}.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer\Main
Default_Search_URL = "http://in.{BLOCKED}nter.cc/--/?khsnt"

(Note: The default value data of the said registry entry is {default}.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer\Main
Default_Search_URL = "http://www.{BLOCKED}earch.com/z/b/x1.cgi?344012"

(Note: The default value data of the said registry entry is {default}.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer\Main
Default_Search_URL = "http://www.{BLOCKED}search.com/z/b/x1.cgi?656387"

(Note: The default value data of the said registry entry is {default}.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer\Main
Search Page = "http://acc.{BLOCKED}all.com/--/?pgdoc"

(Note: The default value data of the said registry entry is {default}.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer\Main
Search Page = "http://in.{BLOCKED}nter.cc/--/?khsnt"

(Note: The default value data of the said registry entry is {default}.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer\Main
Search Page = "http://www.{BLOCKED}search.com/z/b/x1.cgi?344012"

(Note: The default value data of the said registry entry is {default}.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer\Main
Search Page = "http://www.{BLOCKED}search.com/z/b/x1.cgi?656387"

(Note: The default value data of the said registry entry is {default homepage}.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer\Main
Start Page = "http://acc.{BLOCKED}all.com/-/?pgdoc about:blank "

(Note: The default value data of the said registry entry is {default}.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer\Main
Start Page = "http://in.{BLOCKED}nter.cc/-/?khsnt about:blank "

(Note: The default value data of the said registry entry is {default}.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer\Search
CustomizeSearch = "http://acc.{BLOCKED}all.com/--/?pgdoc"

(Note: The default value data of the said registry entry is {default}.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer\Search
CustomizeSearch = "http://in.{BLOCKED}nter.cc/--/?khsnt"

(Note: The default value data of the said registry entry is {default}.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer\Search
CustomizeSearch = "http://www.{BLOCKED}search.com/z/b/x1.cgi?344012"

(Note: The default value data of the said registry entry is {default}.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer\Search
CustomizeSearch = "http://www.{BLOCKED}search.com/z/b/x1.cgi?656387"

(Note: The default value data of the said registry entry is {default}.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer\Search
SearchAssistant = "http://acc.{BLOCKED}all.com/---/?pgdoc"

(Note: The default value data of the said registry entry is {default}.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer\Search
SearchAssistant = "http://in.{BLOCKED}nter.cc/---/?khsnt"

(Note: The default value data of the said registry entry is {default}.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer\Search
SearchAssistant = "http://www.{BLOCKED}search.com/z/b/x1.cgi?344012

(Note: The default value data of the said registry entry is {default}.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer\Search
SearchAssistant = "http://www.{BLOCKED}search.com/z/b/x1.cgi?656387"

(Note: The default value data of the said registry entry is {default}.)

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
Search Page = "http://acc.{BLOCKED}all.com/--/?pgdoc"

(Note: The default value data of the said registry entry is {default}.)

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
Search Page = "http://in.{BLOCKED}nter.cc/--/?khsnt"

(Note: The default value data of the said registry entry is {default}.)

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
Search Page = "http://www.{BLOCKED}search.com/z/b/x1.cgi?344012"

(Note: The default value data of the said registry entry is {default}.)

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
Search Page = "http://www.{BLOCKED}search.com/z/b/x1.cgi?656387"

(Note: The default value data of the said registry entry is {default}.)

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
Start Page = "http://acc.{BLOCKED}all.com/-/?pgdoc about:blank "

(Note: The default value data of the said registry entry is {default}.)

Other Details

This Trojan connects to the following possibly malicious URL:

  • http://acc.{BLOCKED}all.com/---/?pgdoc
  • http://acc.{BLOCKED}all.com/--/?pgdoc
  • http://acc.{BLOCKED}all.com/-/?pgdoc
  • http://in.{BLOCKED}nter.cc/---/?khsnt
  • http://in.{BLOCKED}nter.cc/--/?khsnt
  • http://in.{BLOCKED}nter.cc/-/?khsnt
  • http://www.{BLOCKED}search.com/z/a/x1.cgi?344012
  • http://www.{BLOCKED}search.com/z/a/x1.cgi?656387
  • http://www.{BLOCKED}search.com/z/b/x1.cgi?344012
  • http://www.{BLOCKED}search.com/z/b/x1.cgi?656387
  • http://www.{BLOCKED}search.com/z/c/x1.cgi?344012
  • http://www.{BLOCKED}search.com/z/c/x1.cgi?656387
  • http://www.{BLOCKED}0.com/?g3
  • http://www.{BLOCKED}3.com/?tn=02023048_25_hao_pg