Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/StartPage.NVB

Aliases:Trojan.Win32.Pasta.keh (Kaspersky), Trojan:Win32/Comame (Microsoft), Generic.dx!svi trojan (McAfee) 
Type of infiltration:Trojan  
Size:92160 B 
Affected platforms:Microsoft Windows 
Signature database version:5244 (20100701) 

Short description

Win32/StartPage.NVB is a trojan which tries to promote certain web sites.

Installation

When executed, the trojan copies itself into the following location:
  • C:winlogon.exe
In order to be executed on every system start, the trojan sets the following Registry entry:
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion
    Run]
    "Winservice" = "C:winlogon.exe"
The following Registry entry is set:
  • [HKEY_CURRENT_USERSoftwareMicrosoftInternet Explorer
    Main]
    "Start Page" = "http://www.kichwas-ecuador.com"
The trojan copies itself into the root folders of the following drives D:, E:, F:, G:, H:, I: using the following filename:
  • "trabajos.exe"
The trojan may create copies of itself using the following filenames:
  • %drive%%existingfoldername%.exe

Other information

Win32/StartPage.NVB is a trojan which tries to promote certain web sites.

When users enter certain keywords in the browser, the trojan opens certain URLs related to them.

The following keywords are monitored:
  • el Ecuador
  • el turismo
  • google.com
  • keylogger
  • l internet
  • la cultura
  • el Ecuador
  • el turismo
  • google.com
  • keylogger
  • l internet
  • la cultura
  • latinchat.
  • os kichwas
  • otmail.com
  • www.yahoo.
The trojan opens the following URLs:
  • http://ecuador.kichwas-ecuador.com
  • http://keyloggerftp.kichwas-ecuador.com
  • http://suyupishcu.kichwas-ecuador.com
  • http://tours.kichwas-ecuador.com
  • http://www.kichwas-ecuador.com