Trojan.Desktophijack

Printer Friendly Page

Discovered: April 25, 2005
Updated: April 25, 2005 2:00:24 PM
Systems Affected: Windows

Trojan.Desktophijack is a Trojan horse that modifies the Internet Explorer home page and desktop settings on a compromised computer.

Discovered: April 25, 2005
Updated: April 25, 2005 2:00:24 PM
Systems Affected: Windows

Trojan.Desktophijack is a Trojan horse that modifies the Internet Explorer home page and desktop settings on a compromised computer.

When Trojan.Desktophijack is executed it creates the following files:
%SystemDrive%\wp.exe
%SystemDrive%\wp.bmp
%SystemDrive%\wp.exe
%System%\gunist.exe
%System%\param32.dll
%System%\pop_up.dll
%System%\searchdll.dll
%System%\wldr.dll
%System%\Air Tickets.ico
%System%\Big Tits.ico
%System%\Blackjack.ico
%System%\Britney Spears.ico
%System%\Car Insurance.ico
%System%\Cheap Cigarettes.ico
%System%\Credit Card.ico
%System%\Cruises.ico
%System%\Currency Trading.ico
%System%\Lesbian Sex.ico
%System%\MP3.ico
%System%\Online Betting.ico
%System%\Online Gambling.ico
%System%\Oral Sex.ico
%System%\Party Poker.ico
%System%\Pharmacy.ico
%System%\Phentermine.ico
%System%\Pornstars.ico
%System%\Remove Spyware.ico
%System%\viagra.ico
%UserProfile%\Desktop\Air Tickets.url
%UserProfile%\Desktop\Big Tits.url
%UserProfile%\Desktop\Blackjack.url
%UserProfile%\Desktop\Britney Spears.url
%UserProfile%\Desktop\Car Insurance.url
%UserProfile%\Desktop\Cheap Cigarettes.url
%UserProfile%\Desktop\Credit Card.url
%UserProfile%\Desktop\Cruises.url
%UserProfile%\Desktop\Currency Trading.url
%UserProfile%\Desktop\Lesbian Sex.url
%UserProfile%\Desktop\MP3.url
%UserProfile%\Desktop\Online Betting.url
%UserProfile%\Desktop\Online Gambling.url
%UserProfile%\Desktop\Oral Sex.url
%UserProfile%\Desktop\Party Poker.url
%UserProfile%\Desktop\Pharmacy.url
%UserProfile%\Desktop\Phentermine.url
%UserProfile%\Desktop\Pornstars.url
%UserProfile%\Desktop\Remove Spyware.url
%UserProfile%\Desktop\viagra.url

The Trojan creates the following registry entry so that it is executed every time Windows starts:
HKEY_USERS\Software\Microsoft\Windows\Current Version\Run\"WindowsFY" = "wp.exe"

The Trojan also creates the following registry entries to modify the desktop wallpaper:
HKEY_USERS\Control Panel\Desktop\"WallpaperStyle" = "0x00000000"
HKEY_USERS\Control Panel\Desktop\"Wallpaper" = "C:\wp.bmp"

Next, the Trojan creates the following registry entry to reset the Internet Explorer home page:
HKEY_USERS\Software\Microsoft\Internet Explorer\Main\"Start Page" = "http://www.hotoffers.info/ad0179"

The Trojan also creates the following registry subkeys:
HKEY_LOCAL_MACHINE\Software\Classes\CLSID
\{081669BA-EFC4-48C2-A8F4-874052D02553}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID
\{145E6FB1-1256-44ED-A336-8BBA43373BE6}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID
\{1D27320E-2DA2-41E2-A103-B5FD9D6A798B}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID
\{B599C57E-113A-4488-A5E9-BC552C4F1152}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID
\{D56A1203-1452-EBA1-7294-EE3377770000}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID
\{C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70}
HKEY_LOCAL_MACHINE\Software\Classes\Interface
\{C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70}
HKEY_LOCAL_MACHINE\Software\Classes\Typelib
\{C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70}
HKEY_LOCAL_MACHINE\Software\Classes\Serch_hook.transURL
HKEY_LOCAL_MACHINE\Software\Classes\Serch_hook.transURL.1
HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store Database
\Distribution Units\{11120607-1001-1111-1000-110199901123}
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer
\Extensions\{081669BA-EFC4-48C2-A8F4-874052D02553}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version
\Uninstall\Internet Connection Update and HomeP KB234087
HKEY_USERS\Software\Microsoft\Internet Explorer\Extensions
\{081669BA-EFC4-48C2-A8F4-874052D02553}
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Ext
\Stats\{081669BA-EFC4-48C2-A8F4-874052D02553}
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion
\Policies\System
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\Explorer
\SharedTaskScheduler\"{D56A1203-1452-EBA1-7294-EE3377770000}" = "Interlinking Memory Support"
HKEY_USERS\Software\Microsoft\Internet Explorer\URLSearchHooks\"{C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70}" = ""

The Trojan then changes the desktop wallpaper to a blue background with the following text:
Security warning
A fatal error in IE has occured at 0028:C0011E36 in UXD UMM01 *
00010E36. Error was caused by Trojan-Spy.HTML.Smitfraud.c
* System cannot function in normal mode.
Please check your security settings.
* Scan your PC with any available antivirus / spyware remover program to fix this problem.

The Trojan also adds the following text to the Hosts file to prevent access to several popular search engines:
69.50.173.4 lycos.com
69.50.173.4 www.lycos.com
69.50.173.4 altavista.com
69.50.173.4 www.altavista.com
69.50.173.4 amazon.com
69.50.173.4 www.amazon.com
69.50.173.4 aol.com
69.50.173.4 www.aol.com
69.50.173.4 earthlink.net
69.50.173.4 www.earthlink.net
69.50.173.4 ebay.com
69.50.173.4 www.ebay.com
69.50.173.4 go.com
69.50.173.4 www.go.com
69.50.173.4 google.com
69.50.173.4 www.google.com
69.50.173.4 icq.com
69.50.173.4 www.icq.com
69.50.173.4 lycos.com
69.50.173.4 www.lycos.com
69.50.173.4 msn.com
69.50.173.4 www.msn.com
69.50.173.4 yahoo.com
69.50.173.4 www.yahoo.com

The Trojan attempts to download the following security risks:
Adware.CWSConyc
Dialer.Dapsol