Trojan.Win32.StartPage.fc
| Alert Level : | Medium |
| Discovered: | Nov 19 2007 |
| Tag: | Trojans |
| Discoverer and Source: | http://www.kaspersky.com/ |
Malware Behavior and Technical Description
This Trojan has a malicious payload. It is a Windows PE EXE file. It is 11776 bytes in size. It is packed using UPX. The unpacked file is approximately 48KB in size. It is written in Delphi.
Payload
Once launched, the Trojan will:
- modify the following system registry keys:
[HKCU\Software\Microsoft\Internet Explorer\Main] "Start Page" = "http://my-finder.com/index.htm" [HKCU\Software\Microsoft\Internet Explorer\Main] "Use Search Asst" = "no" [HKCU\Software\Microsoft\Internet Explorer\Main] "Search Page" = "http://my-finder.com/index.htm" [HKCU\Software\Microsoft\Internet Explorer\Main] "Search Bar" = "http://my-finder.com/sp.htm" [HKCU\Software\Microsoft\Internet Explorer\SearchURL] "Default" = "http://my-finder.com/index.htm" [HKCU\Software\Microsoft\Internet Explorer\SearchURL] "provider" = "gog" [HKLM\Software\Microsoft\Internet Explorer\Search] "SearchAssistant" = "http://my-finder.com/sp.h"
This will modify the configuration of Internet Explorer.
- create the following shortcuts in the current user's Favorites
folder:
%USERPROFILE%\Favorites\FREE HIDDEN CAMS WORLD %USERPROFILE%\Favorites\FREE SPY CAM %USERPROFILE%\Favorites\FREE WEB CAMS CHATS %USERPROFILE%\Favorites\GET THIS 4 FREE
These shortcuts lead to the following addresses:
http://free.hcworld.com/*****finder.com http://free-spy-cam.net/*****finder.com http://web-cams-chat.com/*****finder.com http://getthis4free*****.com/
Removal Trojan.Win32.StartPage.fc instructions:
If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:
- Use Task Manager to terminate the Trojan process.
- Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
- Revert the following system
registry key values:
[HKCU\Software\Microsoft\Internet Explorer\Main] "Start Page" = "http://my-finder.com/index.htm" [HKCU\Software\Microsoft\Internet Explorer\Main] "Use Search Asst" = "no" [HKCU\Software\Microsoft\Internet Explorer\Main] "Search Page" = "http://my-finder.com/index.htm" [HKCU\Software\Microsoft\Internet Explorer\Main] "Search Bar" = "http://my-finder.com/sp.htm" [HKCU\Software\Microsoft\Internet Explorer\SearchURL] "Default" = "http://my-finder.com/index.htm" [HKCU\Software\Microsoft\Internet Explorer\SearchURL] "provider" = "gog" [HKLM\Software\Microsoft\Internet Explorer\Search] "SearchAssistant" = "http://my-finder.com/sp.h"
- Delete all shortcuts created by the Trojan: %USERPROFILE%\Favorites\ FREE HIDDEN CAMS WORLD %USERPROFILE%\Favorites\ FREE SPY CAM %USERPROFILE%\Favorites\ FREE WEB CAMS CHATS %USERPROFILE%\Favorites\ GET THIS 4 FREE
- Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).
Need help? Live computer support via remote at SupportSpace |
