W32/StartPage.BE!tr
Analysis
Specifics
This Trojan is a 32-bit PE executable. It has a size of 5,120 bytes when upx compressed and 9,728 bytes when uncompressed.
The Trojan modifies Internet Explorer homepage to "http://jksearch.biz/redir.php" when executed. It creates and continually overwrites the file "hosts" in C:\WINNT or C:\WINDOWS directory.
The URLs contained in the "hosts" file include the following:
www.line-plus.com
www.bestpics.net
www.world-search.biz
www.viewpornkey.com
www.xgmm.com
ruworld.com
600pics.com
connect.online-dialer.com
therealsearch.com
find4u.net
dreamwiz.com
firstbookmark.com
hand-book.com
hotsearchbox.com
search-space.com
www.teenhqpics.com
www.searchmyrequest.com
www.super-spider.com
www.008i.com
www.2fastsearch.net
www.8095.com
www.alfa-search.com
cracks.am
Modifications to the registry
The Trojan modifies the registry values:
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\
Start Page = "http://jksearch.biz/redir.php"
Default_Page_URL = "http://jksearch.biz/redir.php"
Local Page = "http://jksearch.biz/redir.php"
Recommended Action
- Check the web interface for your Fortigate unit to ensure the latest AV/NIDS definitions have been downloaded and installed on your system - if required, enable the "Allow Push Update" option
- Use FortiGate manager to add "jksearch.biz" to the list of URLs to block access to the Web site "http://jksearch.biz" if desired
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |