TROJ_STARTPA.ZH
Windows 2000, XP, Server 2003
Threat Type: Trojan
Destructiveness: No
Encrypted: No
In the wild: Yes
OVERVIEW
This Trojan modifies the user's Internet Explorer home page into a certain website. This action allows the malware to point to a website which may contain malware, putting the affected computer at greater risk of malware infection.
TECHNICAL DETAILS
104,960 bytes
EXE
UPX
Yes
25 Sep 2010
Installation
This Trojan drops the following copies of itself into the affected system:
- %Windows%\nvsvc32.exe
(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)
Autostart Technique
This Trojan adds the following registry entries to enable its automatic execution at every system startup:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
NVIDIA driver monitor = "%Windows%\nvsvc32.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
NVIDIA driver monitor = "%Windows%\nvsvc32.exe"
Other System Modifications
This Trojan adds the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Terminal Server\
Install\Software\Microsoft\
Windows\CurrentVersion\Run
NVIDIA driver monitor = "%Windows%\nvsvc32.exe"
It creates the following registry entry(ies) to bypass Windows Firewall:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
{malware path and file name} = "%Windows%\nvsvc32.exe:*:Enabled:NVIDIA driver monitor"
Web Browser Home Page and Search Page Modification
This Trojan modifies the user's Internet Explorer home page to the following websites:
- http://{BLOCKED}turls.info
Other Details
This Trojan sets the attributes of the following file(s) to Hidden and System:
- {malware path and file name}
- %Windows%\nvsvc32.exe
(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)