Trojan.Startpage.Q изменяет домашнюю страницу в Internet Explorer и связанные ключи реестра.
Описание от Symantec:
name=technicaldetails>When Trojan.Startpage.Q is executed, it performs the following actions:
- name=technicaldetails>Copies itself as the following files:
- name=technicaldetails>%Windir%\SonudMan.exe
- name=technicaldetails>%System%\he1p.exe
Note: - name=technicaldetails>%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
- name=technicaldetails>%System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP)
- name=technicaldetails>Adds the value:
"SonudMan" = "Windir%\SonudMan.exe"
to the registry subkey:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurretVersion\Run
so that the Trojan runs when Windows starts. - name=technicaldetails>Modifies the value to:
"(Default)" = "%System%\he1p.exe"%1""
in the registry subkey:
HKEY_CLASSES_ROOT\txtfile\shell\open\command
so that the Trojan runs each time you open a .txt file - name=technicaldetails>Modifies the value to:
"DisableTaskMgr" = "1"
in the registry subkey:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\system
to disable Task Manager. - name=technicaldetails>Modifies the value to:
"HomePage" = "1"
in the registry subkey:
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel - name=technicaldetails>Modifies the value to:
"CheckedValue" = "0"
in the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\microsoft\windows\currentversion\explorer\advanced\folder\hidden\showall - name=technicaldetails>Attempts to close the following windows:
Window Name: joyiex
Window Class: ddqxyz
Window Name: Windows +++
Window Class: ThunderRT6FormDC
Window Name: [VARIES]
Window Class: TKillqqvir
Window Name: qqav
Window Class: TApplication - name=technicaldetails>Connects to [http://]msg.cd321.com/[REMOVED]/msg and downloads the following files:
- name=technicaldetails>ie1.txt
- name=technicaldetails>msg1.txt
- name=technicaldetails>msg2.txt
- name=technicaldetails>msg3.txt
and saves them as: - name=technicaldetails>she11.dll
- name=technicaldetails>msg1.dll
- name=technicaldetails>msg2.dll
- name=technicaldetails>msg3.dll
- name=technicaldetails>Attempts to download and execute additional files from the the following URL, which is obtained from the previously downloaded files:
[http://]www.joyiex.com/[REMOVED]/520.exe - name=technicaldetails>Modifies the values to:
"Start Page" = "[CONTENTS OF DOWNLOADED FILE]"
"SearchURL" = "[CONTENTS OF DOWNLOADED FILE]"
"Local Page" = "[CONTENTS OF DOWNLOADED FILE]"
"Search Bar" = "[CONTENTS OF DOWNLOADED FILE]"
"Search Page" = "[CONTENTS OF DOWNLOADED FILE]"
"First Home Page" = "[CONTENTS OF DOWNLOADED FILE]"
"default_page_url" = "[CONTENTS OF DOWNLOADED FILE]"
"Default_Search_URL" = "[CONTENTS OF DOWNLOADED FILE]"
in the registry subkey:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
to change Internet Explorer settings.
Note: [CONTENTS OF DOWNLOADED FILE] is the URL contained in she11.dll and at the time of writing, the URL was [http://]www.joyiex.com/[REMOVED]. - name=technicaldetails>Modifies the values to:
"url1" = "[CONTENTS OF DOWNLOADED FILE]"
"url2" = "[CONTENTS OF DOWNLOADED FILE]"
"url3" = "[CONTENTS OF DOWNLOADED FILE]"
in the registry subkey:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs
to change Internet Explorer settings.