Follow:

 

Trojan:Win32/StartPage.SH


Trojan:Win32/Startpage.SH is a trojan that replaces the Windows desktop icon for Internet Explorer with an icon that runs the trojan instead. This trojan also changes Windows system settings.


What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

This malware changes registry data that will not be restored by detecting and removing this threat. To return registry data on an affected computer to its pre-infected state, run System Restore.

Threat behavior

Trojan:Win32/Startpage.SH is a trojan that replaces the Windows desktop icon for Internet Explorer with an icon that runs the trojan instead. This trojan also changes Windows system settings.
Installation
This trojan may be distributed as an installation file. When run, it creates the following the following subfolder with 'system' folder attributes:
  • %ProgramFiles%\Microsoft\Internat Explorar\
 
The trojan creates files in the new folder and the Windows desktop:
  • %ProgramFiles%\Microsoft\Internat Explorar\desktop.ini
  • %ProgramFiles%\Microsoft\Internat Explorar\target.lnk - shortcut link, used by the trojan to open a unwanted website
  • %ALLUSERSPROFILE%\Desktop\Internat Explorar.oc - when run, launches Internet Explorer to open shortcut link "target.lnk" above
The trojan creates a Windows desktop icon similar to the following, that will start Internet Explorer and visit a unwanted website when double-clicked:
 
 
The registry is modified so the trojan can execute when double-clicked by a user.
 
In subkey: HKLM\SOFTWARE\Classes\.oc
Sets value: "(default)"
With data: "ocfile"

In subkey: HKLM\SOFTWARE\Classes\ocfile\DefaultIcon
Sets value: "(default)"
With data: "%1"

In subkey: HKLM\SOFTWARE\Classes\ocfile\shell\open\command
Sets value: "(default)"
With data: "explorer "%ProgramFiles%\Microsoft\Internat Explorar""
Payload
Modifies Windows settings
The trojan hides the Windows desktop icon for Internet Explorer by modifying registry data.  
 
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder
Sets value: "Attributes"
With data: "3" (default value is "0")
 
The trojan modifies registry data to hide file extensions.
 
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Sets value: "HideFileExt"
With data: "1"
 
The trojan modifies other registry data.
 
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Sets value: "ProxyBypass"
With data: "1
 
Changes web browser start page
If the trojan-created desktop icon "Internat Explorar" is double-clicked to launch the "web browser", as intended by a user, Internet Explorer is launched and opens one of the following unwanted websites:
  • tt265.net
  • pp1234.cn
 
Analysis by Hyun Choi

Symptoms

System changes

The following system changes may indicate the presence of this malware:

  • The standard icon for Internet Explorer is missing
  • The presence of the following files:
    • %ProgramFiles%\Microsoft\Internat Explorar\desktop.ini
    • %ProgramFiles%\Microsoft\Internat Explorar\target.lnk
    • %ALLUSERSPROFILE%\Desktop\Internat Explorar.oc
  • The presence of the following registry modifications:
    In subkey: HKLM\SOFTWARE\Classes\.oc
    Sets value: "(default)"
    With data: "ocfile"

    In subkey: HKLM\SOFTWARE\Classes\ocfile\DefaultIcon
    Sets value: "(default)"
    With data: "%1"

    In subkey: HKLM\SOFTWARE\Classes\ocfile\shell\open\command
    Sets value: "(default)"
    With data: "explorer "%ProgramFiles%\Microsoft\Internat Explorar""

    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder
    Sets value: "Attributes"
    With data: "3" (default value is "0")
  • The display of the following Windows desktop icon:

  • When launching the trojan, one of the following websites is displayed:
    • tt265.net
    • pp1234.cn

Prevention


Alert level: Severe
First detected by definition: 1.115.2785.0
Latest detected by definition: 1.115.2785.0 and higher
First detected on: Nov 29, 2011
This entry was first published on: Apr 25, 2007
This entry was updated on: Jan 14, 2012

This threat is also detected as:
  • Dropper.NSIS.E (AVG)
  • TR/Dropper.Gen (Avira)
  • NSIS/TrojanClicker.Agent.BG.Gen (ESET)
  • Trojan.Script.StartPage.ca (Rising AV)
  • Trojan.StartPage (Symantec)
  • TROJ_SPNR.15KL11 (Trend Micro)