Trojan.Win32.StartPage.fg

tag:Trojans

0 0

This Trojan program is a Windows PE EXE file approximately 69KB in size.

Once launched, it causes the browser on the victim machine to open the following page:

http://crackspider.net/ie/first.php

It also creates a file called “crcspider.ico” in the Windows root directory. This file is 766 bytes in size:

%Windir%\crcspider.ico

The Trojan will then create the following entries in the system registry:

[HKCU\Software\Microsoft\Internet Explorer\Main]
 "Search Bar" = "http://crackspider.net/ie/sbar.php" 

[HKCU\Software\Microsoft\Internet Explorer\Search]
 "SearchAssistant" = "http://crackspider.net/ie/assist.php" 

[HKCU\Software\Microsoft\Internet Explorer\Extensions\(10954C80-4F0F-11d3-B17C-00C0DFE39736)]
"ButtonText" = "Search cracks at CrackSpider.NET"

[HKCU\Software\Microsoft\Internet Explorer\Extensions\(10954C80-4F0F-11d3-B17C-00C0DFE39736)]
"ClSid" = (1FBA04EE-3024-11d2-8F1F-0000F87ABD16) 

[HKCU\Software\Microsoft\Internet Explorer\Extensions\(10954C80-4F0F-11d3-B17C-00C0DFE39736)]
"Default Visible" = "Yes" 

[HKCU\Software\Microsoft\Internet Explorer\Extensions\(10954C80-4F0F-11d3-B17C-00C0DFE39736)]
"Exec" = "http://crackspider.net/ie/btn.php" 

[HKCU\Software\Microsoft\Internet Explorer\Extensions\(10954C80-4F0F-11d3-B17C-00C0DFE39736)]
"HotIcon" = "%windows%\crcspider.ico" 

[HKCU\Software\Microsoft\Internet Explorer\Extensions\(10954C80-4F0F-11d3-B17C-00C0DFE39736)]
"Icon" = "%windows%\crcspider.ico" 

[HKCU\Software\Microsoft\Internet Explorer\Extensions\(10954C80-4F0F-11d3-B17C-00C0DFE39736)]
"MenuStatusBar" = "Search cracks at CrackSpider.NET" 

[HKCU\Software\Microsoft\Internet Explorer\Extensions\(10954C80-4F0F-11d3-B17C-00C0DFE39736)]
"MenuText" = "Search cracks at CrackSpider.NET"

The Trojan will also create a new folder called “cracks” in Favourites. This file contains the following linkes and descriptions:

! CrackSpider.NET - Cracks search engine.url 
!! TheBUGS.ws - Security Related Portal.url 
!!! CrackPortal.com - Cracks, serial numbers.....url 
anyCracks.com - Keygens, patches, crackz....url 
Astalavista - Cracks search engine.url 
CrackSpider.DE - Cracks search engine.url 
CrackSpider.US - Cracks search engine.url 
CrackWay - Since 2001 cracks arhive.url 
iCracks.net - Keygens, patches, crackz....url 
KeyGen.US - Keygens, patches, crackz....url 
mscrack.com - Cracks, serial numbers.....url

It alters the "%System%\drivers\etc\hosts" file by writing the text shown below to the file:

213.239.0.226   andr.net
213.239.0.226   astalavista.box.sk
213.239.0.226   crackspider.com
213.239.0.226   crackz.ws
213.239.0.226   www.andr.net
213.239.0.226   www.crackz.ws
213.239.0.226   www.crackspider.com

When the browser is used to view the sites listed above, it will automatically be redirected to 213.239.0.226

The Trojan will add its own icon to the Internet Explorer toolbar. This icon acts as a link to http://crackspider.net/ie/btn.php and also links to the Favorites menu.

previous:Trojan.Win32.StartPage.oz
previous:Trojan.Win32.StartPage.pk

Virus Source from:

New articles

TROJ_FAKEAV.WKAThis Trojan may be downloaded from the following remote sites: http://{BLOCKED}ogle.info/tre/lena.exe/{random characters} This Trojan adds the foll...TROJ_RANSOM.QOWAThis Trojan may be unknowingly downloaded by a user while visiting malicious websites. This Trojan drops the following copies of itself into the affected sys...TapSnake.ATapSnake.A is a Trojan that affects mobile phones with an Android operating system. Once installed in the phone, it carries out the following actions: ...Trojan.Win32.FraudPack.bkheOnce launched, the program will display a message stating that the computer has been infected by malicious programs: The message is displayed even if there a...Trojan-Dropper.Win32.Agent.cxdOnce activated, the Trojan copies its body and saves it to the Windows system directory as "fvfj.sxo": %System%fvfj.sxo In order to ensure that th...

Hot Articles

Trojan.Win32.StartPage.fg

Computer Virus Clounds