TrojanScript.StartPage is ActiveXComponent (see description of the script-virus VBS.Folder , akaVBS.Redlof.a ), whose program is written in Java Script. Gets in the car at auto-saving of temporary files of the component design Internet-pages (banners, auxiliary scripts, etc.) in one of the subdirectories of a system or user directory: for Windows 9X/ME : WINDOWS \ Temporary Internet Files \ Content.IE5 \ for 2K/2KServer/XP/2K3Server Windows : Documents and Settings \% username% \ Local Settings \ Temporary Internet Files \ Content.IE5 \ , where% username% - the current user name. JS-file has the format (file with a random name and extension " JS "; for example, scr3 [1]. JS ) and is able to immediately activate and infect the computer if the latter is running Windows 98, 98 SE, ME, NT, 2K or 2K Server and web-browser program Internet Explorer version 4.0. .... 5.5 SP2, inclusive. The Trojan uses some of the loopholes in the script-protect Internet Explorer, activating and installing itself in the system when accessing the Web site, containing a link to the malicious file, "designer." However, if you have one of these Windows-systems with the updated version of Internet Explorer 6.0 or higher, or System Windows XP (or later operating system Windows), then the Trojan script can not work. The Trojan also may be simply built into the code of a HTML-page.
By establishing itself in the system, the Trojan creates a subdirectory in the system C: \ WINDOWS \ SYSTEM (for Windows 9X and ME) or C: \ WINDOWS \ SYSTEM32 (for Windows 2K and 2000 Server) DLL-file with a random name (for example, sp.dll ), which copies its code, which contains the basic commands. To activate the file each time Windows starts up the Trojan creates a registry autorun key in the section
with a link to this file by logging in as the latest Windows Script Host Shell Object (basic modular component system applications Explorer) and Windows Script Host Network Object (basic modular components of the web browser Internet Explorer), which gives the Trojans two properties - the ability to work in "background" mode (stealth-activation without Figuring in any of the official list of active system processes) - behind the scenes to carry out certain actions when you connect the machine to the Internet.
The Trojan registers in the registry a number of keys, as well as introducing several changes to the settings associated with the work of the web browser Internet Explorer: 1. As a home page address is sethttp://www.cards.ru . This Trojan is the same address in the search string in all open windows web browser while working on the Internet at intervals of 16 minutes 40 seconds, leading the countdown to the moment of connection to the Internet network and to disconnect from it. 2. on your desktop creates a shortcut called "Chats & postcards ", when clicked, which is called the address http://www.cartoons.ru 3. Go to " Favorites"adds a link called" Hosting for everyone ", when clicked, caused the address http: / / www.af.ru (this procedure works only on Russian, English, Spanish or Italian versions of the web-browser Internet Explorer). 4.In the " Links "link is appended, entitled" Internet services ", when clicked, caused by addresshttp://www.deluxe.ru/ 5. In the " Search "added address http://www.one.ru , interfering with the input and call the desired address.
Since January 2005, the name of the virus nomenclature of some antivirus companies have been replaced by the following: Anti-Virus Kaspersky AntiVirus : Trojan.JS.StartPage.l Antivirus BitDefender Professional :JS.Trojan.Seeker.AK Antivirus DrWeb : Trojan.AppActXComp If you find a system of this Trojan to remove not only the file, but also keys, redirecting calls to the links in the web browser Internet Explorer. To do this, obviously, have to use special tools to view a list of registry keys.
The study of malicious code and development description: Broido Herman (aka VirusHunter)
Date Created: 15.11.2004
Date of last change: 27.05.2004
Author Description: Broido Herman (aka VirusHunter)
No comments:
Post a Comment