Trojan:Win32/Startpage.MC is a trojan that changes the Internet Explorer start page, removes and adds various desktop shortcuts and start menu items, modifies system settings, and adds Internet Explorer favorites. Some variants may also attempt to block access to certain security related sites.
Installation
Trojan:Win32/Startpage.MC runs from its original location.
It writes an icon file to %ProgramFiles\Common Files\dao.ico.
This file contains the following icon:
Some variants may use the following file name instead:
If 360 security software is present on the affected computer, the malware will also write an icon file to %ProgramFiles%\Common Files\360.ico, which appears as follows:
Payload
Replaces desktop shortcuts and Start Menu items
The malware deletes the following .LNK files if they are present:
- %DESKTOPDIRECTORY%\Internet Explorer.lnk
- %COMMON_DESKTOP%\Internet Explorer.lnk
- %Start Menu%\Internet Explorer.lnk
- %COMMON_STARTMENU%\Internet Explorer.lnk
- %STARTUP%\Internet Explorer.lnk
- %APPDATA%\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk
Deleting these .LNK files removes desktop shortcuts, Start Menu items, startup items and Quick Launch shortcuts for Internet Explorer.
It also attempts to delete a number of .LNK files related to 360 security software from the same directory locations as above. These generally have filenames beginning with '360' followed by Chinese characters.
Trojan:Win32/Startpage.MC then creates a number of files containing Internet shortcuts linking to a particular location:
- %Start Menu%\Internet Explorer.url
- %PROGRAMS%\Internet Explorer.url
- %APPDATA%\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.url
These files use an Internet Explorer icon.
In the wild, we have observed the trojan using the following shortcut location:
At the time of publication, the following examples had been observed:
- http://%34%35%35%35%35%35%2e%6e%65%74/ [http://455555.net]
- http://%35%34%32%31%34%35%34%31%32%2e%63%6f%6d [http://542145412.com]
- http://%36%6c%2e%63%6e/r/ [http://6l.cn/r/]
- http://%36%6c%2e%63%6e/s/ [http://6l.cn/s/]
- http://%68%2e%73%72%70%6b%77%2e%63%6f%6d/ [http://h.srpkw.com/]
- http://%6e%69%6e%65%73%6b%79%2e%6e%65%74/ [http://ninesky.net/]
- http://%74%2e%77%6f%7a%68%61%6f%31%32%33%2e%63%6f%6d/ [http://t.wozhao123.com/]
- http://%77%77%77%2e%30%33%36%36%37%2e%63%6f%6d/?vip [http://www.03667.com/?vip]
- http://%77%77%77%2e%31%38%32%38%36%2e%6e%65%74/?shen [http://www.18286.net/?shen]
- http://%77%77%77%2e%62%61%69%73%6f%75%31%32%33%2e%63%6f%6d/ [http://www.baisou123.com/]
- http://%77%77%77%2e%62%64%64%64%2e%63%6e/ [http://www.bddd.cn/]
- http://%77%77%77%2e%68%61%6f%33%39%36%2e%63%6f%6d/?my [http://www.hao396.com/?my]
- http://%77%77%77%2e%7a%33%39%33%2e%63%6f%6d/ [http://www.z393.com/]
- http://%7a%68%6f%6e%67%6c%69%71%69%6e%67%2e%63%6f%6d/ [http://zhongliqing.com/]
- http://123.923yx.com
- http://455555.net
- http://5154722.com
- http://6l.cn/s/
- http://h.srpkw.com
- http://leichunguang.com
- http://n.srpkw.com
- http://t.wala123.com
- http://t.wozhao123.com
- http://www.03667.com/?s
- http://www.114wu.com/?10
- http://www.13373.cn
- http://www.18286.net/?shen
- http://www.18819.com
- http://www.2211a.com/?2211
- http://www.2211a.com/?sm
- http://www.222wa.com/?123
- http://www.223la.com/?ie
- http://www.223la.com/?new
- http://www.223la.com/?tan
- http://www.224466.net
- http://www.22qi.com/?da
- http://www.22qi.com/?ma
- http://www.2548.cc
- http://www.4055ma.com
- http://www.4055ne.com
- http://www.4462.com/?xsl
- http://www.4462.com/?yya
- http://www.4462la.com
- http://www.4462le.com
- http://www.4462lo.com/?qvod1
- http://www.4462ma.com
- http://www.4555.net/?new
- http://www.519ah.com/?sss
- http://www.51jk5.com
- http://www.5575.cn
- http://www.7124.cn
- http://www.8765.net.cn/?s
- http://www.96302.com/?sl
- http://www.a585.com
- http://www.baisou123.com
- http://www.bddd.cn
- http://www.ccc7.com
- http://www.dao345.com
- http://www.gzjunjun.com.cn/
- http://www.hao396.com/?aq
- http://www.hao396.com/?da
- http://www.jiuku123.com
- http://www.jj77.com
- http://www.kk11.com
- http://www.ok8844.com/index.html
- http://www.on86.com
- http://www.on86.com/?581
- http://www.pmw8.com/?sh
- http://www.z393.com
Note: Some of the above URLs are partially URL-encoded; the decoded values are shown in square brackets.
The trojan also creates files in the following directories, and uses the dao.ico icon as displayed in the Installation section:
%Start Menu%\<Chinese characters>.url
%PROGRAMS%\<Chinese characters>.url
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\<Chinese characters>.url
An example of the location linked to is http://api.11zuiduan.com/taobao/tb.htm.
If 360 security software is present on the system, it will also write another set of Internet shortcuts to the same folders. These have filenames beginning with 360 followed by Chinese characters and a .url extension. They use the 360.ico icon written previously, and link to the same location as that in the Internet Explorer shortcuts it wrote previously.
Modifies registry settings
The malware attempts to delete the following registry keys and their contents:
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt
- HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel\{871C5380-42A0-1069-A2EA-08002B30309D}
- HKCU\ Software\Microsoft\Internet Explorer\TypedUrls
- HKCR\lnkfile\IsShortcut
The trojan then attempts to create the following registry entries:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu
In subey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel
Sets value: "{871C5380-42A0-1069-A2EA-08002B30309D}"
With data: "1"
Trojan:Win32/Startpage.MC makes the following changes to the registry to remove the Internet Explorer icon from the desktop:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Sets value: "ShowSuperHidden"
With data: "1"
Sets value: "SuperHidden"
With data: "0"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Sets value: "NoInternetIcon"
With data: "0"
In subkey: HKCR\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA8}
Sets value: (Default)
With data: "Internet Explorer"
In subkey: HKCR\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA8}\DefaultIcon
Sets value: (Default)\
With data: "%ProgramFiles%\Internet Explorer\IEXPLORE.EXE"
In subkey: HKCR\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA8}\Shell\[Chinese](&R)\Command
Sets value: (Default)
With data: "Rundll32.exe Shell32.dll,Control_RunDLL Inetcpl.cpl"
In subkey: HKCR\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA8}\Shell\[Chinese](&D)\Command
Sets value: (Default)
With data: "Rundll32.exe"
Under key: HKCR\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA8}\Shell\[Chinese](&M)\Command
Sets value: (Default)
With data: "Rundll32.exe"
In subkey: HKCR\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA8}\Shell\Open(&O)\Command
Sets value: (Default)
With data: "iexplore.exe http://www.96302.com/?sl"
In subkey: HKCR\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA8}\Shell\Open(&O)
Sets value: (Default)
With data: "[Chinese](&H)"
In subkey: HKCR\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA8}\ShellFolder
Sets value: "Attributes"'
With data: "0"
In subkey: HKCR\CLSID\{C27CCE38-8596-11D1-B16A-00C0F0283688}
Sets value: (Default)
With data: [Chinese]
where [Chinese] indicates a number of Chinese characters.
In subkey: HKCR\CLSID\{C27CCE38-8596-11D1-B16A-00C0F0283688}\DefaultIcon
Sets value: (Default)
With data: "%ProgramFiles%\Common Files\dao.ico"
In subkey: HKCR\CLSID\{C27CCE38-8596-11D1-B16A-00C0F0283688}\Shell\[Chinese](&R)\Command
Sets value: (Default)
With data: "Rundll32.exe Shell32.dll,Control_RunDLL Inetcpl.cpl"
In subkey: HKCR\CLSID\{C27CCE38-8596-11D1-B16A-00C0F0283688}\Shell\[Chinese](&D)\Command
Sets value: (Default)
With data: "Rundll32.exe"
In subkey: HKCR\CLSID\{C27CCE38-8596-11D1-B16A-00C0F0283688}\Shell\[Chinese](&M)\Command
Sets value: (Default)
With data: "Rundll32.exe"
In subkey: HKCR\CLSID\{C27CCE38-8596-11D1-B16A-00C0F0283688}\Shell\Open(&O)\Command
Sets value: (Default)
With data: "iexplore. exe http://api.11zuiduan.com/taobao/tb.htm"
In subkey: HKCR\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA8}\Shell\Open(&O)
Sets value: (Default)
With data: [Chinese](&H)
where [Chinese] indicates a number of Chinese characters.
In subkey: HKCR\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA8}\ShellFolder
Sets value: "Attributes"
With data: "0"
Some variants may use different Class IDs for these registry entries, such as:
- {f3ca57df-c5da-11cf-8f28-00aa0060fd43}
- {ff5d0546-76a2-af43-ab16-59306cc8d88e}
Modifies Hosts file
Some variants attempt to block access to certain security related servers by writing a new Hosts file to <system folder>\drivers\etc\hosts. Examples of servers blocked by the malware include the following:
- www.360.cn
- 360.cn
- bbs.360.cn
- update.360safe.com
- qd.code.360.cn
- x.360safe.com
- rd.360.cn
- conf.f.360.cn
- stat.360safe.com
- updatem.360safe.com
- sd.360.cn
- wd.360.cn
- se.360.cn
- hao.360.cn
- wan.360.cn
- sampleup.sd.360.cn
- sdupm.360.cn
- sdup.360.cn
- pstat.p.360.cn
- pdown.stat.360safe.com
- sdl.360safe.com
- www.pc120.com
- pc120.com
- www.duba.net
- www.ijinshan.com
- ijinshan.com
- www.rising.com.cn
- www.kaspersky.com.cn
- down.360safe.com
- kaspersky.com.cn2011-0 1-06_11-30-49
Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
Modifies browser settings
Trojan:Win32/Startpage.MC attempts to change Internet Explorer’s start page by making the following registry modifications:
In subkey: HKCU\Software\Microsoft \Internet Explorer\Main
In subkey: HKLM\Software\Microsoft \Internet Explorer\Main
Sets value: "Start Page"
With data: <new start page> (for example, "http://www.96302.com/?sl')
It uses the same value as that used in the Internet shortcuts, in the "Replaces desktop shortcuts and Start Menu items" section above.
Changes Internet Explorer window title
The trojan attempts to change Internet Explorer’s window title to "Microsoft Internet Explorer" by making the following registry modifications:
In subkey: HKCU\Software\Microsoft \Internet Explorer\Main
In subkey: HKLM\Software\Microsoft \Internet Explorer\Main
Sets value: "Window Title"
With data: "Microsoft Internet Explorer"
Adds Internet Explorer Favorites
The malware adds one or more Favorites to Internet Explorer by creating a number of files with Chinese file names in the %favorites% directory. These favorites link to the same page as the newly changed start page (for example, http://www.96302.com/?sl).
Additional information
The trojan may store status information under the HKCR\Pz or HKCR\Play2a registry keys.
Analysis by David Wood
