Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/StartPage.NSH

Aliases:Trojan.Win32.StartPage.zlo (Kaspersky), Trojan.Startpage (Symantec), Trojan:Win32/Startpage.JN (Microsoft) 
Type of infiltration:Trojan  
Size:77420 B 
Affected platforms:Microsoft Windows 
Signature database version:5051 (20100422) 

Short description

Win32/StartPage.NSH is a trojan which tries to propagate certain web sites. The file is run-time compressed using UPX.

Installation

The trojan may create the following files:
  • %system%DriversProtectsys.sys
  • %commonstartup%%variable%.exe
The string written in Chinese language are used instead of %variable%.

The trojan may set the following Registry entries:
  • [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices
    Protectsys]
    "Type" = 1
    "Start" = 3
    "ErrorControl" = 0
    "ImagePath" = "%system%DriversProtectsys.sys"
    "DisplayName" = "Protectsys"
  • [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices
    Protectsys]
    "Type" = 1
    "Start" = 3
    "ErrorControl" = 0
    "ImagePath" = "%system%DriversProtectsys.sys"
    "DisplayName" = "Protectsys"
  • [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices
    ProtectsysSecurity]
    "Security" = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00
    00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01
    0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00
  • [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices
    ProtectsysEnum]
    "0" = "RootLEGACY_PROTECTSYS000"
    "Count" = 1
    "NextInstance" = 1
  • [HKEY_CURRENT_USERSoftwareMicrosoftInternet Explorer
    Main]
    "Start Page" = "http://www.91ni.com/?sp=011"
  • [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion
    ExplorerHideDesktopIconsNewStartPanel]
    "{871C5380-42A0-1069-A2EA-08002B30309D}" = 1
  • [HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{66AEFBE8-763F-0647-899C-A93278894D8E}]
    "(Default)" = "Internet Explorer"
  • [HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{66AEFBE8-763F-0647-899C-A93278894D8E}
    DefaultIcon]
    "(Default)" = "%programfiles%Internet
    Exploreriexplore.exe"
  • [HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{66AEFBE8-763F-0647-899C-A93278894D8E}
    ShellOpen]
    "(Default)" = "'˛┐¬ExO3"
  • [HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{66AEFBE8-763F-0647-899C-A93278894D8E}
    ShellOpenCommand]
    "(Default)" = "%programfiles%Internet
    Exploreriexplore.exe http://www.91ni.com/?sp=011"
  • [HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{66AEFBE8-763F-0647-899C-A93278894D8E}
    ShellE˘DO]
    "(Default)" = "E˘DO(&R)"
  • [HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{66AEFBE8-763F-0647-899C-A93278894D8E}
    ShellE˘DOCommand]
    "(Default)" = "Rundll32.exe Shell32.dll,Control_RunDLL
    Inetcpl.cpl"
  • [HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{66AEFBE8-763F-0647-899C-A93278894D8E}
    ShellFolder]
    "Attributes" = 20
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion
    ExplorerDesktopNameSpace{66AEFBE8-763F-0647-899C-A93278894D8E}]
    "(Default)" = "Internet Explorer"

Information stealing

The trojan collects the following information:
  • computer name
  • network adapter information
The trojan contains an URL address. The trojan can send the information to a remote machine. The HTTP protocol is used.

Other information

Win32/StartPage.NSH is a trojan which tries to propagate certain web sites.

The trojan opens the following URLs in Internet Explorer:
  • http://www.91ni.com/?sp=011