Trojan.Clicker.Qhost.A
MS Internet Explorer start page changed;
Page "auto.search.msn.com" inaccessible;
Presence of file "oslogo.bmp" in "%WINDIR%\\Web" folder;
When executed, the malware changes MSIE's start page;
"%SYSTEM%\\drivers\\etc\\hosts" is added the line: "645238813 auto.search.msn.com";
In folder "%WINDIR%\\Web" is created file "oslogo.bmp", which contains a script that redirects IE to it's own page.
The next registry keys are added / modified :
HKCU\\Software\\Microsoft\\Internet Explorer\\Main\\Default_Page_URL
HKCU\\Software\\Microsoft\\Internet Explorer\\Main\\Default_Search_URL
HKCU\\Software\\Microsoft\\Internet Explorer\\Main\\Search Bar
HKCU\\Software\\Microsoft\\Internet Explorer\\Main\\Search Page
HKCU\\Software\\Microsoft\\Internet Explorer\\Main\\Start Page
HKCU\\Software\\Microsoft\\Internet Explorer\\Search\\CustomizeSearch
HKCU\\Software\\Microsoft\\Internet Explorer\\Search\\SearchAssistant
HKCU\\Software\\Microsoft\\Internet Explorer\\Styles\\Use My Stylesheet
HKCU\\Software\\Microsoft\\Internet Explorer\\Styles\\User Stylesheet
HKCU\\Software\\Microsoft\\Internet Explorer\\Search
HKCU\\Software\\Microsoft\\Internet Explorer\\SearchURL
HKLM\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\Default_Search_URL
HKLM\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\Search Page
HKLM\\SOFTWARE\\Microsoft\\Internet Explorer\\Search\\CustomizeSearch
HKLM\\SOFTWARE\\Microsoft\\Internet Explorer\\Search\\SearchAssistant
HKLM\\SOFTWARE\\Microsoft\\Internet Explorer\\Styles\\Use My Stylesheet
HKLM\\SOFTWARE\\Microsoft\\Internet Explorer\\Styles\\User Stylesheet
HKLM\\SOFTWARE\\Microsoft\\Internet Explorer\\Search
SHARE
THIS ON