簡介
Trojan/Startpage.fi病毒長度:90,112位元組
病毒類型:木馬
危害等級:*
影響平台:Win9X/2000/XP/NT/Me
Trojan/Startpage.fi修改註冊表並重寫Hosts檔案,通常是通過其它的木馬下載並執行。它實際上是一個用regsvr32.exe, rundll32.exe或其它程式註冊的DLL檔案。
傳播過程及特徵:
1.用文本內容:
127.0.0.1 localhost
重寫檔案Hosts:
%Windir%\Hosts
%Windir%System\Drivers\Etc\Hosts
2.修改註冊表:
/添加鍵值:"Host"=""
到註冊表:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
/添加子鍵:
HKEY_CLASSES_ROOT\DP.MIMEFilter
HKEY_CLASSES_ROOT\DP.MIMEFilter.1
HKEY_CLASSES_ROOT\CLSID\
HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html
HKEY_CLASSES_ROOT\TypeLib\
/刪除子鍵:
HKEY_CLASSES_ROOT\PROTOCOLS\Handler\ms-its
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVErsion\Explorer\Browser Helper Objects
/修改鍵值:HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html
"(Default)"="DP.MIMEFilter"
"CLSID"=""
/修改鍵值: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search
"(Default)" = "http://%68%6F%6D%65%70%61%67%65%2E%63%6F%6D_%00@%77%77%77%2E%65%2D%66%69%6E%64%65%72%2E%63%63/%73%65%61%72%63%68/"
"SearchAssistant" = "http://%68%6F%6D%65%70%61%67%65%2E%63%6F%6D_%00@%77%77%77%2E%65%2D%66%69%6E%64%65%72%2E%63%63/%73%65%61%72%63%68/"
"CustomizeSearch" = "http://%68%6F%6D%65%70%61%67%65%2E%63%6F%6D_%00@%77%77%77%2E%65%2D%66%69%6E%64%65%72%2E%63%63/%73%65%61%72%63%68/"
/修改鍵值: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
"Default_Search_URL" = "http://%68%6F%6D%65%70%61%67%65%2E%63%6F%6D_%00@%77%77%77%2E%65%2D%66%69%6E%64%65%72%2E%63%63/%73%65%61%72%63%68/"
"Search Bar" = "http://%68%6F%6D%65%70%61%67%65%2E%63%6F%6D_%00@%77%77%77%2E%65%2D%66%69%6E%64%65%72%2E%63%63/%73%65%61%72%63%68/"
"Start Page" = "http://%68%6F%6D%65%70%61%67%65%2E%63%6F%6D_%00@%77%77%77%2E%65%2D%66%69%6E%64%65%72%2E%63%63/%68%70/"
"Search Page" ="http://%68%6F%6D%65%70%61%67%65%2E%63%6F%6D_%00@%77%77%77%2E%65%2D%66%69%6E%64%65%72%2E%63%63/%73%65%61%72%63%68/"
/修改鍵值: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl
"(Default)" = "http://%68%6F%6D%65%70%61%67%65%2E%63%6F%6D_%00@%77%77%77%2E%65%2D%66%69%6E%64%65%72%2E%63%63/%73%65%61%72%63%68/"
/修改鍵值: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search
"(Default)" = "http://%68%6F%6D%65%70%61%67%65%2E%63%6F%6D_%00@%77%77%77%2E%65%2D%66%69%6E%64%65%72%2E%63%63/%73%65%61%72%63%68/"
/修改鍵值:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchUrl
"(Default)" = "http://%68%6F%6D%65%70%61%67%65%2E%63%6F%6D_%00@%77%77%77%2E%65%2D%66%69%6E%64%65%72%2E%63%63/%73%65%61%72%63%68/"
/修改鍵值:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main
"Search Bar" = "http://%68%6F%6D%65%70%61%67%65%2E%63%6F%6D_%00@%77%77%77%2E%65%2D%66%69%6E%64%65%72%2E%63%63/%73%65%61%72%63%68/"
"Default_Search_URL" = "http://%68%6F%6D%65%70%61%67%65%2E%63%6F%6D_%00@%77%77%77%2E%65%2D%66%69%6E%64%65%72%2E%63%63/%73%65%61%72%63%68/"
"Search Page" = "http://%68%6F%6D%65%70%61%67%65%2E%63%6F%6D_%00@%77%77%77%2E%65%2D%66%69%6E%64%65%72%2E%63%63/%73%65%61%72%63%68/"
"Start Page" = "http://%68%6F%6D%65%70%61%67%65%2E%63%6F%6D_%00@%77%77%77%2E%65%2D%66%69%6E%64%65%72%2E%63%63/%68%70/"
/修改鍵值: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search
"SearchAssistant" = "http://%68%6F%6D%65%70%61%67%65%2E%63%6F%6D_%00@%77%77%77%2E%65%2D%66%69%6E%64%65%72%2E%63%63/%73%65%61%72%63%68/"
"CustomizeSearch" = "http://%68%6F%6D%65%70%61%67%65%2E%63%6F%6D_%00@%77%77%77%2E%65%2D%66%69%6E%64%65%72%2E%63%63/%73%65%61%72%63%68/"
/修改鍵值:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix
"(Default)" ="http://%65%68%74%74%70%2E%63%63/?"
/修改鍵值:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes
"www" = "http://%65%68%74%74%70%2E%63%63/?"
註:%Windir%為變數,一般為C:\Windows 或 C:\Winnt;
%System%為變數,一般為C:\Windows\System (Windows 95/98/Me),
C:\Winnt\System32 (Windows NT/2000), 或
C:\Windows\System32 (Windows XP)。
