Home / malware Trojan:VBS/Startpage.Z
First posted on 30 November 2010.
Source: SecurityHomeAliases :
Trojan:VBS/Startpage.Z is also known as Trojan.VBS.Agent.kq (Kaspersky), Trojan horse Generic3_c.NUV (AVG), VBS/Startpage.ALR (CA), Trojan.Script.VBS.Agent.bs (Rising AV), VBS_AGENT.AWXP (Trend Micro).
Explanation :
Trojan:VBS/Startpage.Z is a detection for trojans that modify the user's default Internet Explorer start page.
Top
Trojan:VBS/Startpage.Z is a detection for trojans that modify the user's default Internet Explorer start page. Installation Trojan:VBS/Startpage.Z drops itself as following:%windir%\ svMain.sql %APPDATA%\Main.mdb The trojan creates and executes the following file with 'read only' and 'system' attributes:%APPDATA%\setup.inf This file will then execute the dropped %APPDATA%\Main.mdb file. Trojan:VBS/Startpage.Z adds the following autorun registry entries: In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce Sets value: MainWith data: %APPDATA%\Main.mdb Payload Modifies Internet Explorer settings Trojan:VBS/Startpage.Z changes the start page to a certain website. Some of the websites that the trojan has been known to set are:hao.new222.info server38.2010player.info:459/?i=2 The trojan makes the following registry modifications to modify file extensions: In subkey: HKCR\.mdbSets value: Default With data: "vbefile" In subkey: HKCR\.cssSets value: Default With data: "cssfile" In subkey: HKCR\CSSfileSets value: Default With data: "µ³Ã„þ" In subkey: HKCR\.sndSets value: Default With data: "µ³Ã„þ" In subkey: HKCR\sndfileSets value: Default With data: "µ³Ã„þ" In subkey: HKCR\CSSfile\DefaultIconSets value: Default With data: "C:\Program Files\Internet Explorer\iexplore.exe" The trojan opens an Internet Explorer browser with a default <malware URL> as a parameter when an affected user opens CSS (Cascading Style Sheet) files. The trojan opens an Internet Explorer browser with a default <malware URL> as a parameter when an affected user opens SND (by default associated with audio files) files. Trojan:VBS/Startpage.Z also c reates the following garbage files: %APPDATA%\internet explorer.css %ProgramsPath%\internet explorer.css %Desktop%\internet explorer.css %Desktop%\ԦÌÇ.snd Delete files Trojan:VBS/Startpage.Z d eletes the following files: %Desktop%\Internet Explorer.lnk %ProgramsPath%\Internet Explorer.lnk %APPDATA%\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk Modifies Internet Explorer settings The trojan hides file extensions by making the following registry modifications: In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\AdvancedSets value: ShowSuperHiddenWith data:DWORD:0Sets value: HiddenWith data: DWORD:2Sets value: HideFileExtWith data: DWORD:1 The trojan hides the Internet Explorer icon on the desktop by making the following registry modifications: In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ExplorerSets value: NoInternetIcon With data: DWORD:1 In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Sets value: NoInternetIcon With data: DWORD:1 Modifies files Trojan:VBS/Startpage.Z creates or modifies Kingsoft initialization files to add a malicious URL: %Desktop%\Application Data\kingsoft\kws\kws.ini For example, the following URL is added to the initialization files: hao.new222.info The trojan checks to see if Kingsoft is running; if no, the following file is executed: %windir%\Resources\KSWebShield.exe €“install
Analysis by Rodel FinonesLast update 30 November 2010
