Home / malware Trojan:VBS/StartPage.BO
First posted on 15 June 2007.
Source: SecurityHomeAliases :
Trojan:VBS/StartPage.BO is also known as VBS/StartPage.BO.@troj, startpage.bo.@troj, StartPage.BO.
Explanation :
VBS/StartPage.BO.@troj is an appending VBS Virus with Trojan characteristics.
It will attempt to infect all HTML files on visible drives.
StartPage.BO has multiple features and performs a number of tasks including what could be described as "pranks". Things such as changing icons, mouse button settings, background images, et cetera.
VBS/StartPage.BO.@troj creates these files:
- %internetcache%www.MacDonald.com-index.htm
- %userprofile%Favoriteswww.MacDonald.com-index.htm
- %userprofile%Local SettingsApplication DataMicrosoftCD Burning
www.MacDonald.com-index.htm - %userprofile%Local SettingsHistorywww.MacDonald.com-index.htm
- %userprofile%My DocumentsMy Musicwww.MacDonald.com-index.htm
- %userprofile%My DocumentsMy Pictureswww.MacDonald.com-index.htm
- %userprofile%My DocumentsMy Videowww.MacDonald.com-index.htm
- %userprofile%My Documentswww.MacDonald.com-index.htm
- %userprofile%Start MenuProgramswww.MacDonald.com-index.htm
- %userprofile%Start Menuwww.MacDonald.com-index.htm
- %windir%system32snd44.gif
- %windir%system32user44.ico
- %windir%system32VbScr.xml
- %windir%system32winini.vbs
- %windir%system32www.MacDonald.com-index.htm
- C:www.MacDonald.com-index.htm
Screenshot of MacDonald.com-index.htm:
It creates multiple launch points:
- HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun
Winini.dll = C:WINDOWSsystem32winini.vbs - REGISTRYUSER.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun
Winini.dll = C:WINDOWSsystem32winini.vbs
It sets these values:
- HKCUSoftwareMicrosoftInternet ExplorerMain
Start Page = C:WINDOWSsystem32www.MacDonald.com-index.htm - HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerShell Folders
Local AppData = C:Documents and Settingsuser
Local SettingsApplication Data
Last update 15 June 2007