Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Short description
Win32/StartPage.NLR is a trojan which tries to propagate certain web sites. The file is run-time compressed using UPX .
Installation
When executed, the trojan creates the following files:
  • %system%\autoups.exe (184404 B)
  • %system%\Ieautoups.exe (93184 B)
  • %system%\ieupdate.dll (40960 B)
  • %desktopdirectory%\Internet Explorer.lnk
The trojan registers the file %system%\ieupdate.dll as a BHO (Browser Helper Object) module in Internet Explorer .

In order to be executed on every system start, the trojan sets the following Registry entry:
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\
    CurrentVersion\Winlogon]
    "shell" = "explorer.exe,%system%\Ieautoups.exe"
The following Registry entries are created:
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
    {A3EFBC64-0833-4676-8A5F-F8CAF70A8C03}\VERSION]
    "(Default)" = "1.0"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
    {A3EFBC64-0833-4676-8A5F-F8CAF70A8C03}\TypeLib]
    "(Default)" = "{ABCA9BFA-6FE8-47D7-A3E0-224AB2A0893A}"
The following Registry entries are set:
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
    Explorer\HideDesktopIcons\ClassicStartMenu]
    "{871C5380-42A0-1069-A2EA-08002B30309D}" = 1
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
    Explorer\HideDesktopIcons\NewStartPanel]
    "{871C5380-42A0-1069-A2EA-08002B30309D}" = 1
The strings written in Chinese language are used instead of %cn_str% .
Other information
The following file is modified:
  • %appdata%\Microsoft\Internet Explorer\Quick Launch\%Internet
    Explorer%.lnk
The trojan creates the following files:
  • a.bat
The trojan opens the following URLs in Internet Explorer :
  • www.tutu520.cn