W32/StartPage.DF!tr
Analysis
This threat is a group of several files, including downloader
Trojans. When a user makes a connection using Internet
Explorer to an offending site, the user is at risk of
having files downloaded automatically to the system, and
having the Internet Explorer start page settings altered.
The concept of the Trojan is to initiate downloading of
downloader Trojan components by writing a short HTML file
to the target system. The HTML file is loaded into Internet
Explorer as a hidden process, and files are ultimately
downloaded and run.
The Trojan connects with the IP address 67.15.51.131 in
order to download various files and threats, some of them
.EXE files and others .DLL files.
The first file in this threat family downloads "rename.exe"
from 67.15.51.131, then runs it. This .EXE file then downloads
2 files, System87.dll & win86.exe from the same IP
address. The Trojan then runs "Win86.exe" and
it downloads "System86.dll".
Finally, this .DLL retrieves "winpop.exe" and
executes it. The functionality of "winpop.exe"
is to track sites visited by the compromised user.
Loading at Windows Startup
The Trojan may register itself to load at each Windows
startup -
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
WinInit = Win86.exe Win86.exe WINDIR
Recommended Action
- Check the main screen using the web interface for
your FortiGate unit to ensure that the latest AV/NIDS
database has been downloaded and installed on your
system - if required, enable the "Allow Push
Update" option
- Add the IP address 67.15.51.131 to the list of URLs to block
Telemetry
Detection Availability
FortiGate | |
---|---|
Extreme | |
FortiClient | |
Extended | |
FortiMail | |
Extended | |
FortiSandbox | |
Extended | |
FortiWeb | |
Extended | |
Web Application Firewall | |
Extended | |
FortiIsolator | |
Extended | |
FortiDeceptor | |
Extended | |
FortiEDR |