Threat behavior
Trojan:Win32/Startpage.LU is a detection for trojans that modify the affected user's default Internet Explorer home page.
Installation
When run, Trojan:Win32/Startpage.LU drops an Internet Explorer shortcut link file "internet explorer.lnk" and a .url file "âì髵¼º½.url" under the following directories:
c:\documents and settings\administrator\desktop,
c:\documents and settings\administrator\application data\microsoft\internet explorer\quick launch
This sets the start page to http://www.520560.com, so that when the browser is launched, it opens to this page.
Payload
Modifies browser settings
Trojan:Win32/Startpage.LU modifies the affected computer's browser settings by making the following changes to the registry:
In Subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu\
Sets value: "{871C5380-42A0-1069-A2EA-08002B30309D}"
With data: "1"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel
Sets value: "{871C5380-42A0-1069-A2EA-08002B30309D}"
With data: "1"
Analysis by Wei Li
Prevention
