Home / malware

PDF

Trojan:Win32/Startpage.OV

First posted on 15 August 2019.
Source: Microsoft

Aliases :

Trojan:Win32/Startpage.OV is also known as Trojan.BAT.StartPage.jm, not-a-virus:RiskTool.Win32.WFPDisabler, StartPage-NP, Trojan.Win32.StartPage.pul.

Explanation :

Trojan:Win32/Startpage.OV is typically found in bundled installers that modify the user's default Internet Explorer home page to a Chinese website.

Payload

Modifies browser settings
Trojan:Win32/Startpage.OV modifies the Internet Explorer home page to the website "www.ez173.com". It does this by modifying the following registry entry:

In subkey: HKCUSoftwareMicrosoftInternet ExplorerMain
Sets value: "Start Page"
With data: "www.ez173.com">

Drops other files
Trojan:Win32/Startpage.OV drops the following files in the computer without the user's consent:

Internat Explor.html Internat Explor.html Internat Explorer.lnk %ProgramFiles%Adobe1.ha %ProgramFiles%Adobe1.html %ProgramFiles%Adobe3.bat - detected as Trojan:VBS/Startpage.G %ProgramFiles%Adober.vbs

The dropped shortcuts appear as the following:

Analysis by Mihai Calota

Last update 15 August 2019

 

TOP