Trojan.StartPage.38694

Technical Information

To ensure autorun and distribution:

Modifies the following registry keys:

[<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Kooping' = '%PROGRAM_FILES%\Kooping\assist.exe'

Malicious functions:

Creates and executes the following:

%PROGRAM_FILES%\Kooping\kooping.exe '%U%' buyaoqidongwo
%PROGRAM_FILES%\Kooping\assist.exe

Sets a new unauthorized home page for Windows Internet Explorer.

Modifies file system :

Creates the following files:

%PROGRAM_FILES%\Kooping\ДҐЙ°UI\s1.png
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\pop_yes.png
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\s3.png
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\s2.png
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\pop-up.bmp
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\play_up.png
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\pop_no.png
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\pop_colse.png
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\s4.png
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\SetIndivWeek.bmp
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\setBack_path.png
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\set_exit.png
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\set_chnk_start.png
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\s6.png
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\s5.png
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\SetBack.png
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\set.png
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\play_playType.png
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\menu_yijian.png
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\menu_sou.png
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\mintormax.png
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\min.png
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\menu_focus.png
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\menu_exit.png
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\menu_select.png
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\menu_help.png
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\never-ask-again.png
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\play_down.png
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\play_dangqian.bmp
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\Play_play.png
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\play_gexinplay.png
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\no_min.png
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\next.png
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\playdlg.png
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\play.png
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\set_indiv.png
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\type_delete.png
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\type_case.png
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\type_open_file.png
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\type_delete_p.png
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\typeset.png
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\tryMenu.png
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\type_add_p.png
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\type_add.png
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\up.png
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\?a?A.lnk
%HOMEPATH%\Desktop\?a?A.lnk
<SYSTEM32>\huayuke.ini
%HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\0D6B6PI5\getVersion[1]
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\wallsel.png
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\UpMenu.png
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\yes_min.png
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\wat.gif
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\text.png
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\Set_week4.png
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\Set_week3.png
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\Set_week6.png
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\Set_week5.png
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\set_indiv_delet.png
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\set_indiv_add.png
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\Set_week2.png
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\Set_week1.png
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\Set_week7.png
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\takeshe.png
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\takelook.png
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\taobao.ico
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\take_topup.bmp
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\stop.png
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\sougou.ico
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\takeIder.png
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\takeDownLoad.png
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\add_type_delet.png
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\add_type_bake.png
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\assist_back.bmp
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\ad_button_close.png
%PROGRAM_FILES%\Kooping\UpMenu.dll
%PROGRAM_FILES%\Kooping\update_ad.dll
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\add_type_add.png
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\add.png
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\assist_new.bmp
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\button4.bmp
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\button3.bmp
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\contin.png
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\close.png
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\bank.png
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\baidu.ico
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\button2.bmp
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\button1.bmp
%PROGRAM_FILES%\Kooping\updatefile.exe
%PROGRAM_FILES%\Kooping\Desktop.dll
%PROGRAM_FILES%\Kooping\DeskBandBar.dll
%PROGRAM_FILES%\Kooping\GUI_FACT.dll
%PROGRAM_FILES%\Kooping\DownMenu.dll
%PROGRAM_FILES%\Kooping\assist.exe
%HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\69I9OPW5\kuping[1].htm
%PROGRAM_FILES%\Kooping\Describe.dll
%PROGRAM_FILES%\Kooping\DB.MDB
%PROGRAM_FILES%\Kooping\IE_BHO.dll
%PROGRAM_FILES%\Kooping\TipMessdll.dll
%PROGRAM_FILES%\Kooping\softset.ini
%PROGRAM_FILES%\Kooping\uninst.exe
%PROGRAM_FILES%\Kooping\Top_up.dll
%PROGRAM_FILES%\Kooping\livability.dll
%PROGRAM_FILES%\Kooping\kooping.exe
%PROGRAM_FILES%\Kooping\reg.bat
%PROGRAM_FILES%\Kooping\MSADO15.DLL
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\desk.png
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\google.ico
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\gexinSet.png
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\jian.png
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\help.png
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\favicon.ico
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\down_4.bmp
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\Getxin_tip.png
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\fenleisel.png
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\jisuanq.png
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\menu_chlid.png
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\menu_child.png
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\menu_download.png
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\menu_down.png
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\menuDisplay.png
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\mainweb.png
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\menu_background.png
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\menuplay.png
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\down_3.bmp
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\desk_name.png
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\desk_md5.png
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\desk_right.PNG
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\desk_path.png
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\desk_down.png
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\desk_bake.png
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\desk_left.PNG
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\desk_icon.png
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\desk_up.png
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\downmeun.png
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\downloading.png
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\down_2.bmp
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\down_1.bmp
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\desk_yincang.png
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\desk_Update.png
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\downla.png
%PROGRAM_FILES%\Kooping\ДҐЙ°UI\down.png

Deletes the following files:

%HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\0D6B6PI5\getVersion[1]

Network activity:

Connects to:

'to####.zhenlaji.com':80
'localhost':1043
'localhost':1037
'www.wa##ba.com':80

TCP:

HTTP GET requests:

www.wa##ba.com/kuping.htm?ac############
www.wa##ba.com/Home/Soft/getVersion?cl##############
www.wa##ba.com/kuping.htm?ad######

HTTP POST requests:

to####.zhenlaji.com/index.php/Home/Index/getKey/

UDP:

DNS ASK to####.zhenlaji.com
DNS ASK www.wa##ba.com

Miscellaneous:

Searches for the following windows:

ClassName: 'MS_WebcheckMonitor' WindowName: ''
ClassName: 'MS_AutodialMonitor' WindowName: ''
ClassName: 'Shell_TrayWnd' WindowName: ''

Technologies

Terminology

Training and education

Myths

Technical Information

Curing recommendations

Free trial