STARTPAGE
StartPa
Windows
Threat Type: Trojan
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
Downloaded from the Internet
STARTPAGE is a family of Trojans designed to modify the affected system's Internet browser's default start page. STARTPAGE redirects the browser to malicious websites. It can also modify the browser settings and default search features. The redirection usually leads to advertisement sites or to fake/rogue antivirus sites.
TECHNICAL DETAILS
Yes
Modifies HOSTS file
Installation
This Trojan drops the following files:
- %Program Files%\Thunder\Wrper.syc
- %System Root%\Documents and Settings\All Users\Desktop\Internet Explorer.lnk
- %Windows%\Web\oslogo.bmp
- %Windows%\Web\tips.ini
- %Windows%\Web\win.def
- %Windows%\default.css
- %Windows%\hh.htt
(Note: %Program Files% is the Program Files folder, where it usually is C:\Program Files on all Windows operating system versions; C:\Program Files (x86) for 32-bit applications running on Windows 64-bit operating systems.. %System Root% is the Windows root folder, where it usually is C:\ on all Windows operating system versions.. %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.)
It creates the following folders:
- %Program Files%\Thunder
(Note: %Program Files% is the Program Files folder, where it usually is C:\Program Files on all Windows operating system versions; C:\Program Files (x86) for 32-bit applications running on Windows 64-bit operating systems.)
Other System Modifications
This Trojan adds the following registry keys:
HKEY_CLASSES_ROOT\lnkfile\shell
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Search
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Styles
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
ZoneMap\Domains\msn.com
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
lnkfile\shell
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
ZoneMap\Domains\{BLOCKED}search.com
It adds the following registry entries as part of its installation routine:
HKEY_CLASSES_ROOT\lnkfile\shell\
open\command
{default} = ""%System%\WScript.exe" "%Program Files%\Thunder\Wrper.syc" "%1" %*"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer
Search = "http://acc.{BLOCKED}all.com/--/?pgdoc"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer
Search = "http://in.{BLOCKED}nter.cc/--/?khsnt"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer
Search = "http://www.{BLOCKED}search.com/z/b/x1.cgi?344012"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer
SearchURL = "http://www.{BLOCKED}search.com/z/b/x1.cgi?344012"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer
Search = "http://www.{BLOCKED}search.com/z/b/x1.cgi?656387"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer
SearchURL = "http://acc.{BLOCKED}all.com/--/?pgdoc"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer
SearchURL = "http://in.{BLOCKED}nter.cc/--/?khsnt"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer
SearchURL = "http://www.{BLOCKED}search.com/z/b/x1.cgi?656387"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
Default_Page_URL = "http://acc.{BLOCKED}all.com/-/?pgdoc"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
Default_Page_URL = "http://in.{BLOCKED}nter.cc/-/?khsn"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
Default_Page_URL = "http://www.{BLOCKED}search.com/z/a/x1.cgi?344012"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
Default_Page_URL = "http://www.{BLOCKED}search.com/z/a/x1.cgi?656387"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
Default_Search_URL = "http://acc.{BLOCKED}all.com/--/?pgdoc"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
Default_Search_URL = "http://in.{BLOCKED}nter.cc/--/?khsnt"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
Default_Search_URL = "http://www.{BLOCKED}search.com/z/b/x1.cgi?344012"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
Default_Search_URL = "http://www.{BLOCKED}search.com/z/b/x1.cgi?656387"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
HOMEOldSP = "http://www.{BLOCKED}search.com/z/a/x1.cgi?344012"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
HOMEOldSP = "http://www.{BLOCKED}search.com/z/a/x1.cgi?656387"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
Search Bar = "http://acc.{BLOCKED}all.com/---/?pgdoc"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
Search Bar = "http://in.{BLOCKED}nter.cc/---/?khsnt"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
Search Bar = "http://www.{BLOCKED}search.com/z/c/x1.cgi?344012"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
Search Bar = "http://www.{BLOCKED}search.com/z/c/x1.cgi?656387"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
Use Search Assistant = "yes"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Search
CustomizeSearch = "http://acc.{BLOCKED}all.com/--/?pgdoc"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Search
CustomizeSearch = "http://in.{BLOCKED}nter.cc/--/?khsnt"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Search
CustomizeSearch = "http://www.{BLOCKED}search.com/z/b/x1.cgi?344012"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Search
CustomizeSearch = "http://www.{BLOCKED}search.com/z/b/x1.cgi?656387"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Search
SearchAssistant = "http://acc.{BLOCKED}all.com/---/?pgdoc"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Search
SearchAssistant = "http://in.{BLOCKED}nter.cc/---/?khsnt"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Search
SearchAssistant = "http://www.{BLOCKED}search.com/z/b/x1.cgi?344012"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Search
SearchAssistant = "http://www.{BLOCKED}search.com/z/b/x1.cgi?656387"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Styles
Use My Stylesheet = "1"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Styles
User Stylesheet = "%Windows%\Web\oslogo.bmp"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Styles
User Stylesheet = "%Windows%\Web\tips.ini"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Styles
User Stylesheet = "%Windows%\Web\win.def"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
lnkfile\shell\open\
command
{default} = ""%System%\WScript.exe" "%Program Files%\Thunder\Wrper.syc" "%1" %*"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer
Search = "http://acc.{BLOCKED}all.com/--/?pgdoc"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer
Search = "http://in.{BLOCKED}nter.cc/--/?khsnt"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer
Search = "http://www.{BLOCKED}search.com/z/b/x1.cgi?344012"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer
Search = "http://www.{BLOCKED}search.com/z/b/x1.cgi?656387"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer\Main
Use Search Assistant = "yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer\Styles
Use My Stylesheet = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer\Styles
User Stylesheet = "%Windows%\Web\oslogo.bmp"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer\Styles
User Stylesheet = "%Windows%\default.css"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer\Styles
User Stylesheet = "%Windows%\hh.htt"
It modifies the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
Start Page = "http://www.{BLOCKED}search.com/z/a/x1.cgi?656387 about:blank "
(Note: The default value data of the said registry entry is {default}.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer\Main
Default_Search_URL = "http://acc.{BLOCKED}all.com/--/?pgdoc"
(Note: The default value data of the said registry entry is {default}.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer\Main
Default_Search_URL = "http://in.{BLOCKED}nter.cc/--/?khsnt"
(Note: The default value data of the said registry entry is {default}.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer\Main
Default_Search_URL = "http://www.{BLOCKED}earch.com/z/b/x1.cgi?344012"
(Note: The default value data of the said registry entry is {default}.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer\Main
Default_Search_URL = "http://www.{BLOCKED}search.com/z/b/x1.cgi?656387"
(Note: The default value data of the said registry entry is {default}.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer\Main
Search Page = "http://acc.{BLOCKED}all.com/--/?pgdoc"
(Note: The default value data of the said registry entry is {default}.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer\Main
Search Page = "http://in.{BLOCKED}nter.cc/--/?khsnt"
(Note: The default value data of the said registry entry is {default}.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer\Main
Search Page = "http://www.{BLOCKED}search.com/z/b/x1.cgi?344012"
(Note: The default value data of the said registry entry is {default}.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer\Main
Search Page = "http://www.{BLOCKED}search.com/z/b/x1.cgi?656387"
(Note: The default value data of the said registry entry is {default homepage}.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer\Main
Start Page = "http://acc.{BLOCKED}all.com/-/?pgdoc about:blank "
(Note: The default value data of the said registry entry is {default}.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer\Main
Start Page = "http://in.{BLOCKED}nter.cc/-/?khsnt about:blank "
(Note: The default value data of the said registry entry is {default}.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer\Search
CustomizeSearch = "http://acc.{BLOCKED}all.com/--/?pgdoc"
(Note: The default value data of the said registry entry is {default}.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer\Search
CustomizeSearch = "http://in.{BLOCKED}nter.cc/--/?khsnt"
(Note: The default value data of the said registry entry is {default}.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer\Search
CustomizeSearch = "http://www.{BLOCKED}search.com/z/b/x1.cgi?344012"
(Note: The default value data of the said registry entry is {default}.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer\Search
CustomizeSearch = "http://www.{BLOCKED}search.com/z/b/x1.cgi?656387"
(Note: The default value data of the said registry entry is {default}.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer\Search
SearchAssistant = "http://acc.{BLOCKED}all.com/---/?pgdoc"
(Note: The default value data of the said registry entry is {default}.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer\Search
SearchAssistant = "http://in.{BLOCKED}nter.cc/---/?khsnt"
(Note: The default value data of the said registry entry is {default}.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer\Search
SearchAssistant = "http://www.{BLOCKED}search.com/z/b/x1.cgi?344012
(Note: The default value data of the said registry entry is {default}.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer\Search
SearchAssistant = "http://www.{BLOCKED}search.com/z/b/x1.cgi?656387"
(Note: The default value data of the said registry entry is {default}.)
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
Search Page = "http://acc.{BLOCKED}all.com/--/?pgdoc"
(Note: The default value data of the said registry entry is {default}.)
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
Search Page = "http://in.{BLOCKED}nter.cc/--/?khsnt"
(Note: The default value data of the said registry entry is {default}.)
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
Search Page = "http://www.{BLOCKED}search.com/z/b/x1.cgi?344012"
(Note: The default value data of the said registry entry is {default}.)
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
Search Page = "http://www.{BLOCKED}search.com/z/b/x1.cgi?656387"
(Note: The default value data of the said registry entry is {default}.)
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
Start Page = "http://acc.{BLOCKED}all.com/-/?pgdoc about:blank "
(Note: The default value data of the said registry entry is {default}.)
Other Details
This Trojan connects to the following possibly malicious URL:
- http://acc.{BLOCKED}all.com/---/?pgdoc
- http://acc.{BLOCKED}all.com/--/?pgdoc
- http://acc.{BLOCKED}all.com/-/?pgdoc
- http://in.{BLOCKED}nter.cc/---/?khsnt
- http://in.{BLOCKED}nter.cc/--/?khsnt
- http://in.{BLOCKED}nter.cc/-/?khsnt
- http://www.{BLOCKED}search.com/z/a/x1.cgi?344012
- http://www.{BLOCKED}search.com/z/a/x1.cgi?656387
- http://www.{BLOCKED}search.com/z/b/x1.cgi?344012
- http://www.{BLOCKED}search.com/z/b/x1.cgi?656387
- http://www.{BLOCKED}search.com/z/c/x1.cgi?344012
- http://www.{BLOCKED}search.com/z/c/x1.cgi?656387
- http://www.{BLOCKED}0.com/?g3
- http://www.{BLOCKED}3.com/?tn=02023048_25_hao_pg