Home / malware Trojan:Win32/Startpage.IP
First posted on 22 June 2010.
Source: SecurityHomeAliases :
There are no other names known for Trojan:Win32/Startpage.IP.
Explanation :
Trojan:Win32/Startpage.IP is a detection for trojans that modify the affected user's default Internet Explorer home page.
Top
Trojan:Win32/Startpage.IP is a detection for trojans that modify the affected user's default Internet Explorer home page. Installation Trojan:Win32/Startpage.IP arrives on the compromised computer as a Nullsoft installer package, usually dropping and executing any number of files on the system. For instance, one installer package installs the following files: %TEMP%\setup.exe %TEMP%\max2_133daohang4.exe Note: %TEMP% refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the Temp folder for Windows 2000 and NT is C:\DOCUME~1\<user>\LOCALS~1\Temp; and for XP, Vista, and 7 is C:\Users\<user name>\AppData\Local\Temp. Payload Modifies browser settings When executed, Trojan:Win32/Startpage.IP makes modifications to Internet Explorer settings in order to direct the browser to a Web site of its choosing. The trojan adds an entry to the following registry key: HKLM\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command It does this so that when the user double clicks the Internet Explorer Icon on the desktop, or right clicks the icon and chooses the €œOpen Home Page€ option (as shown in the image below), the browser directs to the URL as determined by the registry modifications. For example, we have observed the Trojan:Win32/Startpage.IP making the following registry modification: Adds value: "(Default)" With data: "%program_files%\internet explorer\iexplore.exe http://www.pp2345.com" To subkey: HKLM\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command Note: If the "Open Home Page" settings for Internet Explorer are not enabled for the icon (which will appear in the icon's context menu, refer to above image), the above registry modification will have no effect. Trojan:Win32/Startpage.IP also adds a shortcut to a Web site of its choosing in the Internet Explorer Favorites menu, for example: www.pp2345.com www.my115.net
Analysis by Amir FoudaLast update 22 June 2010