Trojan.Startpage.Q

Trojan.Startpage.Q изменяет домашнюю страницу в Internet Explorer и связанные ключи реестра.

Описание от Symantec:

name=technicaldetails>When Trojan.Startpage.Q is executed, it performs the following actions:

1. name=technicaldetails>Copies itself as the following files:
   
   
   • name=technicaldetails>%Windir%\SonudMan.exe
   • name=technicaldetails>%System%\he1p.exe
     
     Note:
   • name=technicaldetails>%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
   • name=technicaldetails>%System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP)
     
     
2. name=technicaldetails>Adds the value:
   
   "SonudMan" = "Windir%\SonudMan.exe"
   
   to the registry subkey:
   
   HKEY_CURRENT_USER\Software\Microsoft\Windows\CurretVersion\Run
   
   so that the Trojan runs when Windows starts.
   
   
3. name=technicaldetails>Modifies the value to:
   
   "(Default)" = "%System%\he1p.exe"%1""
   
   in the registry subkey:
   
   HKEY_CLASSES_ROOT\txtfile\shell\open\command
   
   so that the Trojan runs each time you open a .txt file
   
   
4. name=technicaldetails>Modifies the value to:
   
   "DisableTaskMgr" = "1"
   
   in the registry subkey:
   
   HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\system
   
   to disable Task Manager.
   
   
5. name=technicaldetails>Modifies the value to:
   
   "HomePage" = "1"
   
   in the registry subkey:
   
   HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel
   
   
6. name=technicaldetails>Modifies the value to:
   
   "CheckedValue" = "0"
   
   in the registry subkey:
   
   HKEY_LOCAL_MACHINE\SOFTWARE\microsoft\windows\currentversion\explorer\advanced\folder\hidden\showall
   
   
7. name=technicaldetails>Attempts to close the following windows:
   
   Window Name: joyiex
   Window Class: ddqxyz
   
   Window Name: Windows +++
   Window Class: ThunderRT6FormDC
   
   Window Name: [VARIES]
   Window Class: TKillqqvir
   
   Window Name: qqav
   Window Class: TApplication
   
   
8. name=technicaldetails>Connects to [http://]msg.cd321.com/[REMOVED]/msg and downloads the following files:
   
   
   • name=technicaldetails>ie1.txt
   • name=technicaldetails>msg1.txt
   • name=technicaldetails>msg2.txt
   • name=technicaldetails>msg3.txt
     
     and saves them as:
     
     
   • name=technicaldetails>she11.dll
   • name=technicaldetails>msg1.dll
   • name=technicaldetails>msg2.dll
   • name=technicaldetails>msg3.dll
     
     
9. name=technicaldetails>Attempts to download and execute additional files from the the following URL, which is obtained from the previously downloaded files:
   
   [http://]www.joyiex.com/[REMOVED]/520.exe
   
   
10. name=technicaldetails>Modifies the values to:
    
    "Start Page" = "[CONTENTS OF DOWNLOADED FILE]"
    "SearchURL" = "[CONTENTS OF DOWNLOADED FILE]"
    "Local Page" = "[CONTENTS OF DOWNLOADED FILE]"
    "Search Bar" = "[CONTENTS OF DOWNLOADED FILE]"
    "Search Page" = "[CONTENTS OF DOWNLOADED FILE]"
    "First Home Page" = "[CONTENTS OF DOWNLOADED FILE]"
    "default_page_url" = "[CONTENTS OF DOWNLOADED FILE]"
    "Default_Search_URL" = "[CONTENTS OF DOWNLOADED FILE]"
    
    in the registry subkey:
    
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
    
    to change Internet Explorer settings.
    
    Note: [CONTENTS OF DOWNLOADED FILE] is the URL contained in she11.dll and at the time of writing, the URL was [http://]www.joyiex.com/[REMOVED].
    
    
11. name=technicaldetails>Modifies the values to:
    
    "url1" = "[CONTENTS OF DOWNLOADED FILE]"
    "url2" = "[CONTENTS OF DOWNLOADED FILE]"
    "url3" = "[CONTENTS OF DOWNLOADED FILE]"
    
    in the registry subkey:
    
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs
    
    to change Internet Explorer settings.