Virus

W32/StartPage.DF!tr

Analysis

This threat is a group of several files, including downloader Trojans. When a user makes a connection using Internet Explorer to an offending site, the user is at risk of having files downloaded automatically to the system, and having the Internet Explorer start page settings altered.
The concept of the Trojan is to initiate downloading of downloader Trojan components by writing a short HTML file to the target system. The HTML file is loaded into Internet Explorer as a hidden process, and files are ultimately downloaded and run.
The Trojan connects with the IP address 67.15.51.131 in order to download various files and threats, some of them .EXE files and others .DLL files.
The first file in this threat family downloads "rename.exe" from 67.15.51.131, then runs it. This .EXE file then downloads 2 files, System87.dll & win86.exe from the same IP address. The Trojan then runs "Win86.exe" and it downloads "System86.dll".
Finally, this .DLL retrieves "winpop.exe" and executes it. The functionality of "winpop.exe" is to track sites visited by the compromised user.
Loading at Windows Startup
The Trojan may register itself to load at each Windows startup -
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
WinInit = Win86.exe Win86.exe WINDIR

Recommended Action

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
  • Add the IP address 67.15.51.131 to the list of URLs to block