TROJ_STARTPA.ZH
Windows 2000, XP, Server 2003
Threat Type: Trojan
Destructiveness: No
Encrypted: No
In the wild: Yes
OVERVIEW
This Trojan modifies the user's Internet Explorer home page into a certain website. This action allows the malware to point to a website which may contain malware, putting the affected computer at greater risk of malware infection.
TECHNICAL DETAILS
Installation
This Trojan drops the following copies of itself into the affected system:
- %Windows%\nvsvc32.exe
(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)
Autostart Technique
This Trojan adds the following registry entries to enable its automatic execution at every system startup:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
NVIDIA driver monitor = "%Windows%\nvsvc32.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
NVIDIA driver monitor = "%Windows%\nvsvc32.exe"
Other System Modifications
This Trojan adds the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Terminal Server\
Install\Software\Microsoft\
Windows\CurrentVersion\Run
NVIDIA driver monitor = "%Windows%\nvsvc32.exe"
It creates the following registry entry(ies) to bypass Windows Firewall:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
{malware path and file name} = "%Windows%\nvsvc32.exe:*:Enabled:NVIDIA driver monitor"
Web Browser Home Page and Search Page Modification
This Trojan modifies the user's Internet Explorer home page to the following websites:
- http://{BLOCKED}turls.info
Other Details
This Trojan sets the attributes of the following file(s) to Hidden and System:
- {malware path and file name}
- %Windows%\nvsvc32.exe
(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)