Trojan:Win32/Startpage.KG is a trojan that modifies the affected user's default home page.
When run, Trojan:Win32/Startpage.KG drops file "qq.reg" under the <malware folder> directory.
The trojan modifies web browser start page settings through importing the file “qq.reg”, and by silently running the following command:
<system folder>\cmd.exe /c regedit /s "c:\Malware\QQ.reg"
Payload
Modifies browser settings
Trojan:Win32/Startpage.KG changes web browser settings, so when the browser is launched, it opens the page to http://www.520921.com.
It also make the following changes to the registry:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu
Sets value: "{871C5380-42A0-1069-A2EA-08002B30309D}"
With data: "dword:00000001"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel
Sets value: "{871C5380-42A0-1069-A2EA-08002B30309D}"
With data: "dword:00000001"
In subkey: HKCR\CLSID\{C42EB5A1-0EED-E549-91B0-775852013521}
Sets value: "@"
With data: "Internet Explorer"
In subkey: HKCR\CLSID\{C42EB5A1-0EED-E549-91B0-775852013521}\DefaultIcon
Sets value: "@"
With data: "c:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"
In subkey: HKCR\CLSID\{C42EB5A1-0EED-E549-91B0-775852013521}\Shell\Open(&O)
Sets value: "@"
With data: "????(&H)"
In subkey: HKCR\CLSID\{C42EB5A1-0EED-E549-91B0-775852013521}\Shell\Open(&O)\Command
Sets value: "@"
With data: "\"c:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\" http://www.520921.com/?2"
In subkey: HKCR\CLSID\{C42EB5A1-0EED-E549-91B0-775852013521}\Shell\??(&R)\Command
Sets value: "@"
With data: "Rundll32.exe Shell32.dll,Control_RunDLL Inetcpl.cpl"
In subkey: HKCU\CLSID\{C42EB5A1-0EED-E549-91B0-775852013521}\ShellFolder
Sets value: "Attributes"
With data: "dword:0000000a"
In subkey: HKCU\SOFTWARE\Classes\CLSID\{C42EB5A1-0EED-E549-91B0-775852013521}
Sets value: "@"
With data: "Internet Explorer"
In subkey: HKCU\SOFTWARE\Classes\CLSID\{C42EB5A1-0EED-E549-91B0-775852013521}\DefaultIcon
Sets value: "@"
With data: "c:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"
In subkey: HKCU\SOFTWARE\Classes\CLSID\{C42EB5A1-0EED-E549-91B0-775852013521}\Shell\Open(&O)
Sets value: "@"
With data: "????(&H)"
In subkey: HKCU\SOFTWARE\Classes\CLSID\{C42EB5A1-0EED-E549-91B0-775852013521}\Shell\Open(&O)\Command
Sets value: "@"
With data: "\"c:\\Program Files\\Internet Explorer\\\IEXPLORE.EXE\" http://www.520921.com/?2"
In subkey: HKCU\SOFTWARE\Classes\CLSID\{C42EB5A1-0EED-E549-91B0-775852013521}\Shell\??(&R)\Command
Sets value: "@"
With data: "Rundll32.exe Shell32.dll,Control_RunDLL Inetcpl.cpl"
In subkey: HKCU\SOFTWARE\Classes\CLSID\{C42EB5A1-0EED-E549-91B0-775852013521}\ShellFolder
Sets value: "Attributes"
With data: "dword:0000000a"
In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{C42EB5A1-0EED-E549-91B0-775852013521}
Sets value: "@"
With data: "Internet Explorer"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Sets value: "NoDesktopCleanupWizard"
With data: "dword:00000001"
Analysis by Wei Li
