Home / malware Trojan:Win32/Startpage.VU
First posted on 21 March 2014.
Source: MicrosoftAliases :
There are no other names known for Trojan:Win32/Startpage.VU.
Explanation :
Threat behavior
Installation
Trojan:Win32/Startpage.VU copies itself to c:\documents and settings\administrator\application data\arhome\uninstall.exe. The malware creates the following files on your PC:
The malware registers the file c:\documents and settings\administrator\application data\volie\adsafe_32.dll, using the Windows utility regsvr32.exe with the /s parameter. Regsvr32.exe is used to register or unregister a Component Object Model (COM) dynamic link library (DLL). The /s parameter lets regsvr32.exe run silently without displaying any messages. This action can result in the following registry modifications:
- c:\documents and settings\administrator\application data\addonvont.zip
- c:\documents and settings\administrator\application data\arhome\updater.exe
- c:\documents and settings\administrator\application data\arhome\updater.zip
- c:\documents and settings\administrator\application data\volie\adsafe_32.dll
- c:\documents and settings\administrator\application data\volie\adsafe_64.dll
- c:\documents and settings\administrator\application data\volie\ie.zip
- c:\documents and settings\administrator\application data\volie\onload.js
- c:\documents and settings\administrator\local settings\application data\r.reg
- c:\documents and settings\administrator\local settings\application data\google\chrome\user data\default\preferences
- c:\documents and settings\administrator\local settings\application data\google\chrome\user data\default\web data
- c:\documents and settings\administrator\local settings\application data\google\chrome\user data\default\web data-journal
- c:\documents and settings\administrator\local settings\application data\microsoft\internet explorer\recovery\active\{89aadb18-50cf-11e3-8377-00db7fa21005}.dat
- c:\documents and settings\administrator\local settings\application data\microsoft\internet explorer\recovery\active\recoverystore.{82f8a055-50cf-11e3-8377-00db7fa21005}.dat
- c:\documents and settings\administrator\local settings\temp\~df6e6b.tmp
- c:\documents and settings\administrator\local settings\temp\~df81df.tmp
Adds value:"(default)"
With data: "adsafe"
To subkey: hku\Administrator\software\microsoft\windows\currentversion\explorer\browser helper objects\{598ac71e-be58-3981-b78a-5c138f423ad6}
Adds value:"(default)"
With data: "adsafe"
To subkey: hklm\software\microsoft\windows\currentversion\explorer\browser helper objects\{598ac71e-be58-3981-b78a-5c138f423ad6}
Adds value:"(default)"
With data: "adsafe.adsafe"
To subkey: hklm\software\classes\clsid\{598ac71e-be58-3981-b78a-5c138f423ad6}\versionindependentprogid
Adds value:"(default)"
With data: "{3fc2d59a-5c76-1e97-30dc-1ec6784419e5}"
To subkey: hklm\software\classes\clsid\{598ac71e-be58-3981-b78a-5c138f423ad6}\typelib
Adds value:"(default)"
With data: "adsafe.adsafe.1"
To subkey: hklm\software\classes\clsid\{598ac71e-be58-3981-b78a-5c138f423ad6}\progid
Adds value:"(default)"
With data: "c:\documents and settings\administrator\application data\volie\adsafe_32.dll"
To subkey: hklm\software\classes\clsid\{598ac71e-be58-3981-b78a-5c138f423ad6}\inprocserver32
Adds value:"(default)"
With data: "adsafe class"
To subkey: hklm\software\classes\clsid\{598ac71e-be58-3981-b78a-5c138f423ad6}
Adds value:"(default)"
With data: "{598ac71e-be58-3981-b78a-5c138f423ad6}"
To subkey: hklm\software\classes\adsafe.adsafe\clsid
Adds value:"(default)"
With data: "{598ac71e-be58-3981-b78a-5c138f423ad6}"
To subkey: hklm\software\classes\adsafe.adsafe.1\clsid
Payload
Contacts remote host
Trojan:Win32/Startpage.VU might contact a remote host at www.acdcads.com using port 80. Commonly, malware does this to:This malware description was produced and published using automated analysis of file SHA1 623d8a21acdbe5808b40118a599f79998ce72519.Symptoms
- Report a new infection to its author
- Receive configuration or other data
- Download and run files, including updates or other malware
- Receive instructions from a remote hacker
- Upload data taken from your PC
System changes
The following could indicate that you have this threat on your PC:
- You have these files:
c:\documents and settings\administrator\application data\addonvont.zip
c:\documents and settings\administrator\application data\arhome\uninstall.exe
c:\documents and settings\administrator\application data\arhome\updater.exe
c:\documents and settings\administrator\application data\arhome\updater.zip
c:\documents and settings\administrator\application data\volie\adsafe_32.dll
c:\documents and settings\administrator\application data\volie\adsafe_64.dll
c:\documents and settings\administrator\application data\volie\ie.zip
c:\documents and settings\administrator\application data\volie\onload.js
c:\documents and settings\administrator\local settings\application data\r.reg
c:\documents and settings\administrator\local settings\application data\google\chrome\user data\default\preferences
c:\documents and settings\administrator\local settings\application data\google\chrome\user data\default\web data
c:\documents and settings\administrator\local settings\application data\google\chrome\user data\default\web data-journal
c:\documents and settings\administrator\local settings\application data\microsoft\internet explorer\recovery\active\{89aadb18-50cf-11e3-8377-00db7fa21005}.dat
c:\documents and settings\administrator\local settings\application data\microsoft\internet explorer\recovery\active\recoverystore.{82f8a055-50cf-11e3-8377-00db7fa21005}.dat
c:\documents and settings\administrator\local settings\temp\~df6e6b.tmp
c:\documents and settings\administrator\local settings\temp\~df81df.tmpAdds value:"(default)"
- You see these entries or keys in your registry:
With data: "adsafe"
To subkey: hku\Administrator\software\microsoft\windows\currentversion\explorer\browser helper objects\{598ac71e-be58-3981-b78a-5c138f423ad6}
Adds value:"(default)"
With data: "adsafe"
To subkey: hklm\software\microsoft\windows\currentversion\explorer\browser helper objects\{598ac71e-be58-3981-b78a-5c138f423ad6}
Adds value:"(default)"
With data: "adsafe.adsafe"
To subkey: hklm\software\classes\clsid\{598ac71e-be58-3981-b78a-5c138f423ad6}\versionindependentprogid
Adds value:"(default)"
With data: "{3fc2d59a-5c76-1e97-30dc-1ec6784419e5}"
To subkey: hklm\software\classes\clsid\{598ac71e-be58-3981-b78a-5c138f423ad6}\typelib
Adds value:"(default)"
With data: "adsafe.adsafe.1"
To subkey: hklm\software\classes\clsid\{598ac71e-be58-3981-b78a-5c138f423ad6}\progid
Adds value:"(default)"
With data: "c:\documents and settings\administrator\application data\volie\adsafe_32.dll"
To subkey: hklm\software\classes\clsid\{598ac71e-be58-3981-b78a-5c138f423ad6}\inprocserver32
Adds value:"(default)"
With data: "adsafe class"
To subkey: hklm\software\classes\clsid\{598ac71e-be58-3981-b78a-5c138f423ad6}
Adds value:"(default)"
With data: "{598ac71e-be58-3981-b78a-5c138f423ad6}"
To subkey: hklm\software\classes\adsafe.adsafe\clsid
Adds value:"(default)"
With data: "{598ac71e-be58-3981-b78a-5c138f423ad6}"
To subkey: hklm\software\classes\adsafe.adsafe.1\clsidLast update 21 March 2014