StartPage-JH

This page shows details and results of our analysis on the malware StartPage-JH

Download Current DAT: 6617

Threat Detail

Malware Type: Trojan

Malware Sub-type: StartPage

Discovery Date: 2006-05-03

Next Steps:

Overview
Characteristics
Symptoms
Method of Infection
Removal

Overview

This trojan modifies default start page in Internet Explorer.

Minimum DAT

4754 (2006-05-03)

Updated DAT

4819 (2006-08-01)

Minimum Engine

5.1.00

File Length

N/A

Description Added

2006-05-03

Description Modified

2006-06-29

Malware Proliferation

Characteristics

Trojan characteristics are as follows:

Modifies start page and favorites menu.
Adds run key registry entry to get executed on each reboot.

Symptoms

Symptoms are as follows:

Modification in user's default start page and favorites menu in Internet Explorer.

Presence of following cookies in "%Documents and Settings%\<USER name>Cookies" folder

<USER name>@kuro.9966[2].txt
<USER name>@www.18hi[1].txt

Method of Infection

Upon execution trojan copies itself to %windows%\sytem32 folder as PYJJKIME.exe.

File: PYJJKIME.exe
Hash: 50c6415e17eba7cf1c39a8ac941a06b1

Following files created in %windows%\sytem32 folder:

pyjjkq.dll
AppCheck.dll
pyjjkdll.dll
ResIeDll.dll
TAPIEver.ini
AppEventTmp.exe

Modifies user's default registry value to "http:// www.ok56.com" to modify user's default start page.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main "Start Page" = http://www.ok56.com

Following registry entries are added in order to get executed on each reboot.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "PYJJIME" by PYJJKIME.exe.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Microsoft TAP" by AppEventTmp.exe.

Removal

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.