Virus Detail

Win32.Startpage.FZ

Date Published:
3 Aug 2004

Last Updated:
13 Apr 2005

Threat Assessment

Overall Risk: Very Low

Wild: Low

Destructiveness: Low

Pervasiveness: None

Characteristics

Type : Trojan

Category : Win32

Also known as: StartPage-DU (McAfee) , Win32.Startpage.FZ!generic, Win32/StartPage.IX (Eset), Trojan.Win32.StartPage.ix (Kaspersky)

Immediate Protection Info

Tools

Signature file information

Scan for viruses

Submit a Virus Sample

Description

Method of Infection

Payload

Description

Startpage is a large family of trojans that are used to change a user's Internet Explorer homepage and default search page. Generally, these trojans accomplish this by making changes to the registry and the hosts file. These trojans have been seen in the wild and used by businesses with unethical marketing practices in order to increase the flow of traffic to their web sites.

Method of Infection

Win32.Startpage.FZ is dropped and launched by Win32.DlMersting variants as a randomly named .DLL into the %System% directory. Win32.Startpage.FZ may also drop a local copy of a custom 'Search Page' in the %Temp% directory named sp.html.

It installs itself as a Browser Helper Object by making the following additions to the registry. The filename and CLSID values are random and are used for example only.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C4B51C1A-A650-4D29-BCF8-5F860AE42DFD}
HKCR\CLSID\{C4B51C1A-A650-4D29-BCF8-5F860AE42DFD}\InProcServer32\(Default)="%System%\knfoba.dll"
HKCR\CLSID\{C4B51C1A-A650-4D29-BCF8-5F860AE42DFD}\InProcServer32\ThreadingModel=Apartment

Win32.Startpage.FZ also installs itself as a permanent pluggable MIME filter; this allows it to display an alternative page of the writer's choice in stead of the default 'about:blank' (which normally displays as an empty page):

HKCR\PROTOCOLS\Filter\text/html\CLSID={C4B51C1A-A650-4D29-BCF8-5F860AE42DFD}
HKCR\PROTOCOLS\Filter\text/plain\CLSID={C4B51C1A-A650-4D29-BCF8-5F860AE42DFD}

Payload

Modifies System Settings

Win32.Startpage.FZ makes the following registry modifications:

HKCU\Software\Microsoft\Internet Explorer\Main\HOMEOldSP="about:blank"
HKCU\Software\Microsoft\Internet Explorer\Main\Start Page="about:blank"
HKCU\Software\Microsoft\Internet Explorer\Main\Use Custom Search URL=1
HKCU\Software\Microsoft\Internet Explorer\Main\Use Search Asst="no"

HKLM\Software\Microsoft\Internet Explorer\Main\HOMEOldSP="about:blank"
HKLM\Software\Microsoft\Internet Explorer\Main\Start Page="about:blank"
HKLM\Software\Microsoft\Internet Explorer\Main\Use Custom Search URL=1
HKLM\Software\Microsoft\Internet Explorer\Main\Use Search Asst="no"

One of the following registry modification styles is used (depending on which minor variant of Win32.Startpage.FZ is affecting the machine):

HKCU\Software\Microsoft\Internet Explorer\Main\Search Bar=file://%Temp%\sp.html
HKCU\Software\Microsoft\Internet Explorer\Main\Search Page=file://%Temp%\sp.html
HKCU\Software\Microsoft\Internet Explorer\Search\SearchAssistant=file://%Temp%\sp.html

HKLM\Software\Microsoft\Internet Explorer\Main\Search Bar=file://%Temp%\sp.html
HKLM\Software\Microsoft\Internet Explorer\Main\Search Page=file://%Temp%\sp.html
HKLM\Software\Microsoft\Internet Explorer\Search\SearchAssistant=file://%Temp%\sp.html

HKCU\Software\Microsoft\Internet Explorer\Main\Search Bar="res://%43%3a%5c%57%49%4e%44%4f%57%53%5c%53%79%73%74%65%6d%33%32%5c%6b%6e%66%6f%62%61%2e%64%6c%6c/%73%70%2e%68%74%6d%6c"
HKCU\Software\Microsoft\Internet Explorer\Main\Search Page="res://%43%3a%5c%57%49%4e%44%4f%57%53%5c%53%79%73%74%65%6d%33%32%5c%6b%6e%66%6f%62%61%2e%64%6c%6c/%73%70%2e%68%74%6d%6c"
HKCU\SOFTWARE\Microsoft\Internet Explorer\Search\SearchAssistant="res://%43%3a%5c%57%49%4e%44%4f%57%53%5c%53%79%73%74%65%6d%33%32%5c%6b%6e%66%6f%62%61%2e%64%6c%6c/%73%70%2e%68%74%6d%6c"

HKLM\Software\Microsoft\Internet Explorer\Main\Search Bar="res://%43%3a%5c%57%49%4e%44%4f%57%53%5c%53%79%73%74%65%6d%33%32%5c%6b%6e%66%6f%62%61%2e%64%6c%6c/%73%70%2e%68%74%6d%6c"
HKLM\Software\Microsoft\Internet Explorer\Main\Search Page="res://%43%3a%5c%57%49%4e%44%4f%57%53%5c%53%79%73%74%65%6d%33%32%5c%6b%6e%66%6f%62%61%2e%64%6c%6c/%73%70%2e%68%74%6d%6c"
HKLM\SOFTWARE\Microsoft\Internet Explorer\Search\SearchAssistant="res://%43%3a%5c%57%49%4e%44%4f%57%53%5c%53%79%73%74%65%6d%33%32%5c%6b%6e%66%6f%62%61%2e%64%6c%6c/%73%70%2e%68%74%6d%6c"

The encoded res:// protocol points to Win32.Startpage.FZ. The above example equates to res://C:\WINDOWS\System32\knfoba.dll/sp.html

Win32.Startpage also checks the 'hosts' file on a user's system to determine if specific domains have been redirected. The exact list varies between each variant, but has been known to include the following domain substrings:

windows-data.info
ak47.be
channels.at
refer.cn
look-up.tv
count.cc
searchx.cc
google.com
yahoo.com
msn.com
netscape.com
ieautosearch

If a redirection is found, it is simply removed by commenting out the appropriate line in the 'hosts' file. The read-only attribute is also set.

Depending on the variant, Win32.Startpage.FZ may also attempt to patch a system API call. By making use of its own simple disassembly engine, it writes directly into wininet.dll to patch the API InternetConnectA. It redirects this API to code within its own DLL.

Some variants may modify the following registry value:

HKCU\software\microsoft\Internet Explorer\Main\Search Bar = res://%Temp%\se.dll/sp.html

so that a search page "sp.html" is displayed in the Internet Explorer search bar.

Some Startpage.FZ variants may also drop the file "se.dll" into the user's %Temp% folder. This file is detected as Win32.Startpage.NS. Please see elsewhere in our encyclopedia for further information on this related trojan.

While CA Antivirus solutions will remove a Startpage infection, they will not restore a user's individual Internet Explorer settings to their pre-infection state (as Internet Explorer settings may vary from user to user).

Analysis by Scott Molenkamp and Paul Taylor