Home / malware Trojan:Win32/Preflayer.A
First posted on 29 March 2013.
Source: MicrosoftAliases :
Trojan:Win32/Preflayer.A is also known as Trojan horse Startpage.TMI (AVG), Trojan.Win32.Startpage (Ikarus), RDN/Generic StartPage!p (McAfee).
Explanation :
Installation
When run, it shows a fake Adobe Flash Player installer. If you run this fake installer, it changes the home page for your browser. The fake installer might look like this:
To trick you into thinking that it's a legitimate installer, it also downloads and runs the actual Flash Player installer.
Payload
Changes browser home page
It changes your browser's home page to either of the following URLs:
- www.anasayfada.net
- www.heydex.com
It might also change the browser's shortcut file so that if you open your browser using the shortcut file, it automatically opens the browser to either of the URLs mentioned above.
In Google Chrome, this trojan changes the home page by setting the following setting in the file "%APPDATA%\Google\Chrome\User Data\Default\Preferences":
"homepage": "<URL>"
In Mozilla Firefox, this trojan creates a folder named "%APPDATA%\Mozilla\Firefox\Profiles\<eight random characters>.default". It places a preferences file, "Prefs.js", into this folder with the following setting:
user_pref("browser.startup.homepage", "<URL>")
In Internet Explorer and Yandex, it tries to change the shortcut files that launch these browsers:
In "Internet Explorer.lnk", the shortcut target is changed from "%ProgramFiles%\Internet Explorer\iexplore.exe" to "%ProgramFiles%\Internet Explorer\iexplore.exe <URL>".
In Yandex, the shortcut target is changed from "%AppData%\Local\Yandex\YandexBrowser\Application\browser.exe" to "%AppData%\Local\Yandex\YandexBrowser\Application\browser.exe <URL>".
where <URL> is one of the URLs mentioned above.
These shortcut files are located in:
- %AppData%\Microsoft\Internet Explorer\Quick Launch
- %AppData%\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar
Analysis by Jonathan San Jose
Last update 29 March 2013
