Win32/StartPage [Threat Name] go to Threat

Win32/StartPage.NSH [Threat Variant Name]

Category trojan
Size 77420 B
Detection created Apr 22, 2010
Detection database version 5051
Aliases Trojan.Win32.StartPage.zlo (Kaspersky)
  Trojan.Startpage (Symantec)
  Trojan:Win32/Startpage.JN (Microsoft)
Short description

Win32/StartPage.NSH is a trojan which tries to promote certain web sites. The file is run-time compressed using UPX .

Installation

The trojan may create the following files:

  • %system%\­Drivers\­Protectsys.sys
  • %commonstartup%\­%variable%.exe

%variable% represents a string written in the Chinese language.


The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­Protectsys]
    • "Type" = 1
    • "Start" = 3
    • "ErrorControl" = 0
    • "ImagePath" = "%system%\­Drivers\­Protectsys.sys"
    • "DisplayName" = "Protectsys"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­Protectsys\­Security]
    • "Security" = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­Protectsys\­Enum]
    • "0" = "Root\­LEGACY_PROTECTSYS\­0000"
    • "Count" = 1
    • "NextInstance" = 1
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer\­Main]
    • "Start Page" = "http://www.91ni.com/?sp=011"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­HideDesktopIcons\­NewStartPanel]
    • "{871C5380-42A0-1069-A2EA-08002B30309D}" = 1
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­CLSID\­{66AEFBE8-763F-0647-899C-A93278894D8E}]
    • "(Default)" = "Internet Explorer"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­CLSID\­{66AEFBE8-763F-0647-899C-A93278894D8E}\­DefaultIcon]
    • "(Default)" = "%programfiles%\­Internet Explorer\­iexplore.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­CLSID\­{66AEFBE8-763F-0647-899C-A93278894D8E}\­Shell\­Open]
    • "(Default)" = "'ňżŞExO3"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­CLSID\­{66AEFBE8-763F-0647-899C-A93278894D8E}\­Shell\­Open\­Command]
    • "(Default)" = "%programfiles%\­Internet Explorer\­iexplore.exe http://www.91ni.com/?sp=011"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­CLSID\­{66AEFBE8-763F-0647-899C-A93278894D8E}\­Shell\­EôDO]
    • "(Default)" = "EôDO(&R)"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­CLSID\­{66AEFBE8-763F-0647-899C-A93278894D8E}\­Shell\­EôDO\­Command]
    • "(Default)" = "Rundll32.exe Shell32.dll,Control_RunDLL Inetcpl.cpl"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­CLSID\­{66AEFBE8-763F-0647-899C-A93278894D8E}\­ShellFolder]
    • "Attributes" = 20
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Desktop\­NameSpace\­{66AEFBE8-763F-0647-899C-A93278894D8E}]
    • "(Default)" = "Internet Explorer"
Information stealing

The trojan collects the following information:

  • computer name
  • network adapter information

The trojan contains an URL address. The trojan can send the information to a remote machine. The HTTP protocol is used.


Other information

Win32/StartPage.NSH is a trojan which tries to promote certain web sites.


The trojan opens the following URLs in Internet Explorer :

  • http://www.91ni.com/?sp=011

Please enable Javascript to ensure correct displaying of this content and refresh this page.