Home / malwarePDF  

Trojan:Win32/Startpage.XW


First posted on 02 December 2015.
Source: Microsoft

Aliases :

There are no other names known for Trojan:Win32/Startpage.XW.

Explanation :

Threat behavior

Installation

This threat creates the following files on your PC:

  • %APPDATA% \shortCutStore\Google Chrome.lnk
  • %APPDATA% \shortCutStore\Internet Explore.lnk
  • %APPDATA% \shortCutStore\Mozilla Firefox.lnk


It then modifies the existing shortcut files, which points to the new URL that was replaced on the start page of the browser:

  • %APPDATA% \Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
  • %APPDATA% \Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
  • %APPDATA% \Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
  • %USERPROFILE% \Start Menu\Programs\Internet Explorer.lnk
  • %ALLUSERSPROFILE% \Start Menu\Programs\Mozilla Firefox.lnk
  • %ALLUSERSPROFILE% \Start Menu\Programs\Google Chrome\Google Chrome.lnk


It then replaces the Start Page or Default Page URL in your browser by creating or modifying the following registry entries:

In subkey: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Sets value: "Default_Page_URL"
With data: ""

In subkey: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Sets value: "Start Page"
With data: ""

In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main
Sets value: "Default_Page_URL"
With data: ""

In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main
Sets value: "Start Page"
With data: ""

Where can be www.top8844.com?oem=sv1&uid=_&tm=1448426646.

We have seen this malware connect to its server using HTTP Post at http://service.gamegogle.com/sv3/Log/logExec.php.

Payload

Replaces the start page or default page URL in your browser without your consent. Symptoms

System changes

The following could indicate that you have this threat on your PC:

  • You have these files:

    • %APPDATA%\shortCutStore\Google Chrome.lnk
    • %APPDATA%\shortCutStore\Internet Explore.lnk
    • %APPDATA%\shortCutStore\Mozilla Firefox.lnk
  • You see these entries in your registry:


In subkey: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Sets value: "Default_Page_URL"
With data: ""

In subkey: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Sets value: "Start Page"
With data: ""

In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main
Sets value: "Default_Page_URL"
With data: ""

In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main
Sets value: "Start Page"
With data: ""

Last update 02 December 2015

 

TOP

Malware :

Family: