W32/StartPage.Y!tr

description-logoAnalysis

  • Trojan is 32 bit with a file size of 25,088 bytes
  • Trojan may be introduced to the system from a malicious web page
  • If Trojan is created and run, it will modify the registry in numerous places, changing general settings for Internet Explorer such as home page or start page and search page settings
  • The registry is changed to point Internet Explorer to this URL -

    http://in.webcounter.cc/--/?oaoca

  • The actual value in the registry is hex code which translates into the above web address, as in this example -

    http://undefined69undefined6eundefined2eundefined77undefined65undefined62undefined63undefined6fundefined75undefined6eundefined74undefined65undefined72undefined2eundefined63undefined63/undefined2dundefined2d/?undefined6fundefined61undefined6fundefined63undefined61

  • The Trojan installs an option called "Use My Style Sheets", a setting in the registry for Internet Explorer, which allows the web browser to use a style configuration - when the style configuration option is enabled, it allows the user to load a setting file, in this case, the setting file is a dropped configuration file in the Windows folder named "hh.htt"

  • The file "hh.htt" has system, hidden and read-only attributes, and contains Unicode instruction to open the browser window to

    'http://in.webcounter.cc/--?oaoca'

    any time a web page is opened and it contains a Meta tag of 'sex', 'porn', 'adult' or 'thehun'

  • The registry is modified to use the style sheet in two locations -

    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Styles\
    "Use My Stylesheet" = 01, 00, 00, 00
    "User Stylesheet" = C:\WINNT\Web\tips.ini

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\
    "Use Search Assistant" = yes
    "Use My Stylesheet" = 01, 00, 00, 00

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Styles\
    "User Stylesheet" = C:\WINNT\hh.htt

  • The Trojan modifies the "hosts" DNS resolution file contains an added entry which directs access to 'auto.search.msn.com' to the web address 'in.webcounter.cc'
  • The Trojan modifies the WIN.INI file to auto run the Trojan at each Windows startup -

    [windows]
    "run" = fntldr.exe

recommended-action-logoRecommended Action

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option

Telemetry logoTelemetry

Detection Availability

FortiClient
Extreme
FortiMail
Extreme
FortiSandbox
Extreme
FortiWeb
Extreme
Web Application Firewall
Extreme
FortiIsolator
Extreme
FortiDeceptor
Extreme
FortiEDR

Version Updates

Date Version Detail
2021-11-23 89.07133
2021-09-13 89.00920