Trojan.Startpage.Q

Trojan.Startpage.Q изменяет домашнюю страницу в Internet Explorer и связанные ключи реестра.

Trojan.Startpage.Q изменяет домашнюю страницу в Internet Explorer и связанные ключи реестра.

Описание от Symantec:

 

 

When Trojan.Startpage.Q is executed, it performs the following actions:

  1. Copies itself as the following files:

  2. Adds the value:

    "SonudMan" = "Windir%\SonudMan.exe"

    to the registry subkey:

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurretVersion\Run

    so that the Trojan runs when Windows starts.

  3. Modifies the value to:

    "(Default)" = "%System%\he1p.exe"%1""

    in the registry subkey:

    HKEY_CLASSES_ROOT\txtfile\shell\open\command

    so that the Trojan runs each time you open a .txt file

  4. Modifies the value to:

    "DisableTaskMgr" = "1"

    in the registry subkey:

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\system

    to disable Task Manager.

  5. Modifies the value to:

    "HomePage" = "1"

    in the registry subkey:

    HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel

  6. Modifies the value to:

    "CheckedValue" = "0"

    in the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\microsoft\windows\currentversion\explorer\advanced\folder\hidden\showall

  7. Attempts to close the following windows:

    Window Name: joyiex
    Window Class: ddqxyz

    Window Name: Windows +++
    Window Class: ThunderRT6FormDC

    Window Name: [VARIES]
    Window Class: TKillqqvir

    Window Name: qqav
    Window Class: TApplication

  8. Connects to [http://]msg.cd321.com/[REMOVED]/msg and downloads the following files:

  9. Attempts to download and execute additional files from the the following URL, which is obtained from the previously downloaded files:

    [http://]www.joyiex.com/[REMOVED]/520.exe

  10. Modifies the values to:

    "Start Page" = "[CONTENTS OF DOWNLOADED FILE]"
    "SearchURL" = "[CONTENTS OF DOWNLOADED FILE]"
    "Local Page" = "[CONTENTS OF DOWNLOADED FILE]"
    "Search Bar" = "[CONTENTS OF DOWNLOADED FILE]"
    "Search Page" = "[CONTENTS OF DOWNLOADED FILE]"
    "First Home Page" = "[CONTENTS OF DOWNLOADED FILE]"
    "default_page_url" = "[CONTENTS OF DOWNLOADED FILE]"
    "Default_Search_URL" = "[CONTENTS OF DOWNLOADED FILE]"


    in the registry subkey:

    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main

    to change Internet Explorer settings.

    Note: [CONTENTS OF DOWNLOADED FILE] is the URL contained in she11.dll and at the time of writing, the URL was [http://]www.joyiex.com/[REMOVED].

  11. Modifies the values to:

    "url1" = "[CONTENTS OF DOWNLOADED FILE]"
    "url2" = "[CONTENTS OF DOWNLOADED FILE]"

    "url3" = "[CONTENTS OF DOWNLOADED FILE]"

    in the registry subkey:

    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs

    to change Internet Explorer settings.