Home / malwarePDF  

Trojan:Win32/Startpage.VU


First posted on 21 March 2014.
Source: Microsoft

Aliases :

There are no other names known for Trojan:Win32/Startpage.VU.

Explanation :

Threat behavior

Installation

Trojan:Win32/Startpage.VU copies itself to c:\documents and settings\administrator\application data\arhome\uninstall.exe. The malware creates the following files on your PC:

  • c:\documents and settings\administrator\application data\addonvont.zip
  • c:\documents and settings\administrator\application data\arhome\updater.exe
  • c:\documents and settings\administrator\application data\arhome\updater.zip
  • c:\documents and settings\administrator\application data\volie\adsafe_32.dll
  • c:\documents and settings\administrator\application data\volie\adsafe_64.dll
  • c:\documents and settings\administrator\application data\volie\ie.zip
  • c:\documents and settings\administrator\application data\volie\onload.js
  • c:\documents and settings\administrator\local settings\application data\r.reg
  • c:\documents and settings\administrator\local settings\application data\google\chrome\user data\default\preferences
  • c:\documents and settings\administrator\local settings\application data\google\chrome\user data\default\web data
  • c:\documents and settings\administrator\local settings\application data\google\chrome\user data\default\web data-journal
  • c:\documents and settings\administrator\local settings\application data\microsoft\internet explorer\recovery\active\{89aadb18-50cf-11e3-8377-00db7fa21005}.dat
  • c:\documents and settings\administrator\local settings\application data\microsoft\internet explorer\recovery\active\recoverystore.{82f8a055-50cf-11e3-8377-00db7fa21005}.dat
  • c:\documents and settings\administrator\local settings\temp\~df6e6b.tmp
  • c:\documents and settings\administrator\local settings\temp\~df81df.tmp
The malware registers the file c:\documents and settings\administrator\application data\volie\adsafe_32.dll, using the Windows utility regsvr32.exe with the /s parameter. Regsvr32.exe is used to register or unregister a Component Object Model (COM) dynamic link library (DLL). The /s parameter lets regsvr32.exe run silently without displaying any messages. This action can result in the following registry modifications:

Adds value:"(default)"
With data: "adsafe"
To subkey: hku\Administrator\software\microsoft\windows\currentversion\explorer\browser helper objects\{598ac71e-be58-3981-b78a-5c138f423ad6}
Adds value:"(default)"
With data: "adsafe"
To subkey: hklm\software\microsoft\windows\currentversion\explorer\browser helper objects\{598ac71e-be58-3981-b78a-5c138f423ad6}
Adds value:"(default)"
With data: "adsafe.adsafe"
To subkey: hklm\software\classes\clsid\{598ac71e-be58-3981-b78a-5c138f423ad6}\versionindependentprogid
Adds value:"(default)"
With data: "{3fc2d59a-5c76-1e97-30dc-1ec6784419e5}"
To subkey: hklm\software\classes\clsid\{598ac71e-be58-3981-b78a-5c138f423ad6}\typelib
Adds value:"(default)"
With data: "adsafe.adsafe.1"
To subkey: hklm\software\classes\clsid\{598ac71e-be58-3981-b78a-5c138f423ad6}\progid
Adds value:"(default)"
With data: "c:\documents and settings\administrator\application data\volie\adsafe_32.dll"
To subkey: hklm\software\classes\clsid\{598ac71e-be58-3981-b78a-5c138f423ad6}\inprocserver32
Adds value:"(default)"
With data: "adsafe class"
To subkey: hklm\software\classes\clsid\{598ac71e-be58-3981-b78a-5c138f423ad6}
Adds value:"(default)"
With data: "{598ac71e-be58-3981-b78a-5c138f423ad6}"
To subkey: hklm\software\classes\adsafe.adsafe\clsid
Adds value:"(default)"
With data: "{598ac71e-be58-3981-b78a-5c138f423ad6}"
To subkey: hklm\software\classes\adsafe.adsafe.1\clsid

Payload

Contacts remote host

Trojan:Win32/Startpage.VU might contact a remote host at www.acdcads.com using port 80. Commonly, malware does this to:
  • Report a new infection to its author
  • Receive configuration or other data
  • Download and run files, including updates or other malware
  • Receive instructions from a remote hacker
  • Upload data taken from your PC
This malware description was produced and published using automated analysis of file SHA1 623d8a21acdbe5808b40118a599f79998ce72519.Symptoms

System changes

The following could indicate that you have this threat on your PC:

  • You have these files:

    c:\documents and settings\administrator\application data\addonvont.zip
    c:\documents and settings\administrator\application data\arhome\uninstall.exe
    c:\documents and settings\administrator\application data\arhome\updater.exe
    c:\documents and settings\administrator\application data\arhome\updater.zip
    c:\documents and settings\administrator\application data\volie\adsafe_32.dll
    c:\documents and settings\administrator\application data\volie\adsafe_64.dll
    c:\documents and settings\administrator\application data\volie\ie.zip
    c:\documents and settings\administrator\application data\volie\onload.js
    c:\documents and settings\administrator\local settings\application data\r.reg
    c:\documents and settings\administrator\local settings\application data\google\chrome\user data\default\preferences
    c:\documents and settings\administrator\local settings\application data\google\chrome\user data\default\web data
    c:\documents and settings\administrator\local settings\application data\google\chrome\user data\default\web data-journal
    c:\documents and settings\administrator\local settings\application data\microsoft\internet explorer\recovery\active\{89aadb18-50cf-11e3-8377-00db7fa21005}.dat
    c:\documents and settings\administrator\local settings\application data\microsoft\internet explorer\recovery\active\recoverystore.{82f8a055-50cf-11e3-8377-00db7fa21005}.dat
    c:\documents and settings\administrator\local settings\temp\~df6e6b.tmp
    c:\documents and settings\administrator\local settings\temp\~df81df.tmp
  • You see these entries or keys in your registry:
Adds value:"(default)"
With data: "adsafe"
To subkey: hku\Administrator\software\microsoft\windows\currentversion\explorer\browser helper objects\{598ac71e-be58-3981-b78a-5c138f423ad6}
Adds value:"(default)"
With data: "adsafe"
To subkey: hklm\software\microsoft\windows\currentversion\explorer\browser helper objects\{598ac71e-be58-3981-b78a-5c138f423ad6}
Adds value:"(default)"
With data: "adsafe.adsafe"
To subkey: hklm\software\classes\clsid\{598ac71e-be58-3981-b78a-5c138f423ad6}\versionindependentprogid
Adds value:"(default)"
With data: "{3fc2d59a-5c76-1e97-30dc-1ec6784419e5}"
To subkey: hklm\software\classes\clsid\{598ac71e-be58-3981-b78a-5c138f423ad6}\typelib
Adds value:"(default)"
With data: "adsafe.adsafe.1"
To subkey: hklm\software\classes\clsid\{598ac71e-be58-3981-b78a-5c138f423ad6}\progid
Adds value:"(default)"
With data: "c:\documents and settings\administrator\application data\volie\adsafe_32.dll"
To subkey: hklm\software\classes\clsid\{598ac71e-be58-3981-b78a-5c138f423ad6}\inprocserver32
Adds value:"(default)"
With data: "adsafe class"
To subkey: hklm\software\classes\clsid\{598ac71e-be58-3981-b78a-5c138f423ad6}
Adds value:"(default)"
With data: "{598ac71e-be58-3981-b78a-5c138f423ad6}"
To subkey: hklm\software\classes\adsafe.adsafe\clsid
Adds value:"(default)"
With data: "{598ac71e-be58-3981-b78a-5c138f423ad6}"
To subkey: hklm\software\classes\adsafe.adsafe.1\clsid

Last update 21 March 2014

 

TOP