Trojan:Win32/Startpage.SH is a trojan that replaces the Windows desktop icon for Internet Explorer with an icon that runs the trojan instead. This trojan also changes Windows system settings.
Installation
This trojan may be distributed as an installation file. When run, it creates the following the following subfolder with 'system' folder attributes:
- %ProgramFiles%\Microsoft\Internat Explorar\
The trojan creates files in the new folder and the Windows desktop:
- %ProgramFiles%\Microsoft\Internat Explorar\desktop.ini
- %ProgramFiles%\Microsoft\Internat Explorar\target.lnk - shortcut link, used by the trojan to open a unwanted website
- %ALLUSERSPROFILE%\Desktop\Internat Explorar.oc - when run, launches Internet Explorer to open shortcut link "target.lnk" above
The trojan creates a Windows desktop icon similar to the following, that will start Internet Explorer and visit a unwanted website when double-clicked:
The registry is modified so the trojan can execute when double-clicked by a user.
In subkey: HKLM\SOFTWARE\Classes\.oc
Sets value: "(default)"
With data: "ocfile"
In subkey: HKLM\SOFTWARE\Classes\ocfile\DefaultIcon
Sets value: "(default)"
With data: "%1"
In subkey: HKLM\SOFTWARE\Classes\ocfile\shell\open\command
Sets value: "(default)"
With data: "explorer "%ProgramFiles%\Microsoft\Internat Explorar""
Payload
Modifies Windows settings
The trojan hides the Windows desktop icon for Internet Explorer by modifying registry data.
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder
Sets value: "Attributes"
With data: "3" (default value is "0")
The trojan modifies registry data to hide file extensions.
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Sets value: "HideFileExt"
With data: "1"
The trojan modifies other registry data.
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Sets value: "ProxyBypass"
With data: "1"
Changes web browser start page
If the trojan-created desktop icon "Internat Explorar" is double-clicked to launch the "web browser", as intended by a user, Internet Explorer is launched and opens one of the following unwanted websites:
Analysis by Hyun Choi
