W32/StartPage.Y!tr
Analysis
- Trojan is 32 bit with a file size of 25,088 bytes
- Trojan may be introduced to the system from a malicious
web page
- If Trojan is created and run, it will modify the
registry in numerous places, changing general settings
for Internet Explorer such as home page or start page
and search page settings
- The registry is changed to point Internet Explorer
to this URL -
http://in.webcounter.cc/--/?oaoca
-
The actual value in the registry is hex code which translates into the above web address, as in this example -
http://undefined69undefined6eundefined2eundefined77undefined65undefined62undefined63undefined6fundefined75undefined6eundefined74undefined65undefined72undefined2eundefined63undefined63/undefined2dundefined2d/?undefined6fundefined61undefined6fundefined63undefined61
-
The Trojan installs an option called "Use My Style Sheets", a setting in the registry for Internet Explorer, which allows the web browser to use a style configuration - when the style configuration option is enabled, it allows the user to load a setting file, in this case, the setting file is a dropped configuration file in the Windows folder named "hh.htt"
-
The file "hh.htt" has system, hidden and read-only attributes, and contains Unicode instruction to open the browser window to
'http://in.webcounter.cc/--?oaoca'
any time a web page is opened and it contains a Meta tag of 'sex', 'porn', 'adult' or 'thehun'
-
The registry is modified to use the style sheet in two locations -
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Styles\
"Use My Stylesheet" = 01, 00, 00, 00
"User Stylesheet" = C:\WINNT\Web\tips.iniHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\
"Use Search Assistant" = yes
"Use My Stylesheet" = 01, 00, 00, 00HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Styles\
"User Stylesheet" = C:\WINNT\hh.htt
- The Trojan modifies the "hosts" DNS resolution
file contains an added entry which directs access
to 'auto.search.msn.com' to the web address 'in.webcounter.cc'
- The Trojan modifies the WIN.INI file to auto run
the Trojan at each Windows startup -
[windows]
"run" = fntldr.exe
Recommended Action
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |