Trojan:Win32/Startpage.OM is a malicious program that is unable to spread of its own accord. It may perform a number of actions of an attacker's choice on an affected computer.
Installation
When executed, Trojan:Win32/Startpage.OM copies itself to c:\documents and settings\administrator\application data\windows32.exe.
The malware modifies the following registry entries to ensure that its copy executes at each Windows start:
Adds value: "MicrosoftWindows"
With data: "c:\documents and settings\administrator\application data\windows32.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Adds value: "MicrosoftWindows"
With data: "c:\documents and settings\administrator\application data\windows32.exe"
To subkey: HKCU\Software\Microsoft\windows\currentversion\run
Adds value: "MicrosoftWindows"
With data: "c:\documents and settings\administrator\application data\windows32.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Adds value: "MicrosoftWindows"
With data: "c:\documents and settings\administrator\application data\windows32.exe"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
Adds value: "MicrosoftWindows"
With data: "c:\documents and settings\administrator\application data\windows32.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
Adds value: "MicrosoftWindows"
With data: "c:\documents and settings\administrator\application data\windows32.exe"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
Payload
Modifies browser settings
Trojan:Win32/Startpage.OM changes the start page for Internet Explorer to
http://redirecturls.info/ by making the following registry modification:
Adds value:
"Start Page" With data:
"http://redirecturls.info/"To subkey:
HKCU\Software\Microsoft\Internet Explorer\Main
This malware description was produced and published using our automated analysis system's examination of file SHA1 4eae6a822353405f531507eeae21be9ebe4c5ded.