Win32/StartPage [Threat Name] go to Threat

Win32/StartPage.ORS [Threat Variant Name]

Category trojan
Size 52736 B
Detection created Apr 08, 2013
Detection database version 8204
Aliases Trojan.Win32.StartPage.bcfq (Kaspersky)
Short description

Win32/StartPage.ORS is a trojan that changes the home page of certain web browsers.

Installation

The trojan does not create any copies of itself.

Other information

The trojan changes the home page of the following web browsers:

  • Google Chrome
  • Internet Explorer
  • Mozilla Firefox
  • Opera

The following files are modified:

  • %appdata%\­Opera\­Opera\­operaprefs.ini
  • %localappdata%\­Google\­Chrome\­User Data\­Default\­Preferences
  • %appdata%\­Mozilla\­Firefox\­Profiles\­%profile%\­prefs.js

The trojan may set the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer\­Main]
    • "Start Page" = "http://kurs.ru/index3"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer\­SearchScopes\­{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
    • "URL" = "http://www.gigabase.ru/search?q={searchTerms}&clid=1"
    • "DisplayName" = "Gigabase"

The trojan connects to the following addresses:

  • http://176.9.157.143/counters/accept?param=%variable%&aid=2

A string with variable content is used instead of %variable% .

Please enable Javascript to ensure correct displaying of this content and refresh this page.