VBS_STARTPA.NT

 Modified by: Jed Valderama

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This Trojan arrives as a component bundled with malware/grayware packages.

  TECHNICAL DETAILS

File Size:

3,571 bytes

File Type:

VBS

Initial Samples Received Date:

19 Jun 2012

Arrival Details

This Trojan arrives as a component bundled with malware/grayware packages.

Installation

This Trojan drops the following files:

  • %Program Files%\Mozilla Firefox\searchplugins\pucuy.xml

(Note: %Program Files% is the default Program Files folder, usually C:\Program Files.)

NOTES:
It modifies files named pref.js of all folders and subfolders found in %Application Data%\Mozilla\Firefox\Profiles\.

Adds the following lines in pref.js:

  • user_pref(browser.startup.homepage, http://www.{BLOCKED}y.com)
  • user_pref(browser.search.selectedEngine, Search)