Threat behavior
Trojan:Win32/Startpage.AEJ is trojan that creates an Internet Explorer shortcut on the desktop, that directs the user to a pre-determined website. In the wild, we have observed this shortcut directing the user to an advertising website.
Installation
Trojan:Win32/Startpage.AEJ may be installed by other malware, however, at the time of writing, these details were not available.
Payload
Creates desktop shortcut
Trojan:Win32/Startpage.AEJ creates the following registry entries so that a shortcut is added to the affected user's desktop:
In subkey: HKLM\SOFTWARE\Classes\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}
Sets value: "Default"
With data: "Internet Explorer"
In subkey:HKLM\SOFTWARE\Classes\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}
Sets value: "Default"
With data: "C:\\Program Files\\Internet Explorer\\iexplore.exe,-32528"
In subkey: HKLM\SOFTWARE\Classes\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\Shell
Sets value: "Default"
With data: "´ò¿ªÖ÷Ò³(&H)"
In subkey: HKLM\SOFTWARE\Classes\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\Shell\Start
Sets value: "Default"
With data: "\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" http://www.k969.com/"
Modifies system settings
The trojan creates the following registry entry to remove the "Delete" menu option from the right click menu of a desktop shortcut:
In subkey: HKLM\SOFTWARE\Classes\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder
Sets value: "Attributes"
With data: "dword:00000010"
Analysis by Zhitao Zhou
Prevention
