Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:TR/Drop.Star.RN.3.A
Date discovered:13/12/2012
Type:Trojan
Subtype:Dropper
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low
Static file:Yes
File size:59.824 Bytes
MD5 checksum:cb7539d255cb01187f4b8bab6a275de0
VDF version:7.11.53.216

 General Method of propagation:
   • No own spreading routine


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops malicious files
   • Registry modification

 Files The following files are created:

%PROGRAM FILES%\IESearchToolbar\IESearchToolbar.dat
%PROGRAM FILES%\IESearchToolbar\IESearchToolbar.dll Further investigation pointed out that this file is malware, too.
%PROGRAM FILES%\IESearchToolbar\IESearchToolbar_uninstall.exe
%PROGRAM FILES%\IESearchToolbar\medicine.ico
%PROGRAM FILES%\IESearchToolbar\search.ico
%PROGRAM FILES%\IESearchToolbar\security.ico
%PROGRAM FILES%\IESearchToolbar\auto.ico
%PROGRAM FILES%\IESearchToolbar\computers.ico
%PROGRAM FILES%\IESearchToolbar\games.ico
%PROGRAM FILES%\IESearchToolbar\heart.ico
– %HOME%\favorites\spyware killer.url
– %HOME%\favorites\porno search.url
– %HOME%\favorites\total-search.url
– %HOME%\favorites\magic-search.url

 Registry The following registry keys are added:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
   {69753829-779C-45e7-9D8C-C79CE0989246}]
   • "UninstallString"="%PROGRAM FILES%\\IESearchToolbar\\iesearchtoolbar_uninstall.exe"
   • "DisplayName"="IE Search Toolbar plugin"

– [HKCR\CLSID\{EB381422-F797-4A98-A266-9DC490821907}]
   • @="IE Search Toolbar"

– [HKCR\CLSID\{EB381422-F797-4A98-A266-9DC490821907}\InProcServer32]
   • @="%PROGRAM FILES%\\IESearchToolbar\\IESearchToolbar.dll"
   • "ThreadingModel"="Apartment"

– [HKCR\CLSID\{2C5175A2-ADF3-4F57-AB70-BA90FD60A383}]
   • @="IE Search Toolbar Helper"

– [HKCR\CLSID\{2C5175A2-ADF3-4F57-AB70-BA90FD60A383}\InProcServer32]
   • @="%PROGRAM FILES%\\IESearchToolbar\\IESearchToolbar.dll"
   • "ThreadingModel"="Apartment"

– [HKLM\SOFTWARE\Perezzz Software\IESearchToolbar]
   • @="second"
   • "first_start"=dword:00000000



The following registry keys are changed:

– [HKCU\Software\Microsoft\Internet Explorer\Main]
   Old value:
   • "Start Page"="%user defined settings%"
   New value:
   • "Start Page"="http://our-counter.com/in.cgi?four"

– [HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
   Old value:
   • "{01E04581-4EEE-11D0-BFE9-00AA005B4383}"="%user defined settings%"
   New value:
   • "{01E04581-4EEE-11D0-BFE9-00AA005B4383}"=hex:81,45,e0,01,ee,4e,d0,11,bf,e9,00,\
      aa,00,5b,43,83,10,00,00,00,00,00,00,00,01,e0,32,f4,01,00,00,00

– [HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
   Old value:
   • "{0E5CBF21-D15F-11D0-8301-00AA005B4383}"=}"="%user defined settings%"
   New value:
   • "{0E5CBF21-D15F-11D0-8301-00AA005B4383}"=hex:21,bf,5c,0e,5f,d1,d0,11,83,01,00,\
      aa,00,5b,43,83,22,00,1c,00,08,00,00,00,06,00,00,00,01,00,00,00,00,00,00,00,\
      00,00,00,00,00,00,00,00,4c,00,00,00,01,14,02,00,00,00,00,00,c0,00,00,00,00,\
      00,00,46,81,00,00,00,10,00,00,00,28,71,a3,16,e4,6a,c5,01,b0,e3,7e,2b,aa,96,\
      c5,01,28,7e,3b,3d,d4,86,c5,01,00,00,00,00,00,00,00,00,01,00,00,00,00,00,00,\
      00,00,00,00,00,00,00,00,00,57,01,14,00,1f,50,e0,4f,d0,20,ea,3a,69,10,a2,d8,\
      08,00,2b,30,30,9d,19,00,2f,43,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,\
      00,00,00,00,00,00,5c,00,31,00,00,00,00,00,c6,32,e4,b0,10,00,44,4f,43,55,4d,\
      45,7e,31,00,00,44,00,03,00,04,00,ef,be,c6,32,da,75,01,33,85,73,14,00,00,00,\
      44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,00,73,00,20,00,61,00,6e,00,64,\
      00,20,00,53,00,65,00,74,00,74,00,69,00,6e,00,67,00,73,00,00,00,18,00,40,00,\
      31,00,00,00,00,00,c6,32,79,b6,10,00,6e,61,6d,65,31,32,35,32,00,00,28,00,03,\
      00,04,00,ef,be,c6,32,e4,b0,01,33,85,73,14,00,00,00,6e,00,61,00,6d,00,65,00,\
      31,00,32,00,35,00,32,00,00,00,18,00,56,00,31,00,00,00,00,00,01,33,bb,76,11,\
      00,46,41,56,4f,52,49,7e,31,00,00,3e,00,03,00,04,00,ef,be,c6,32,e4,b0,01,33,\
      6e,78,14,00,28,00,46,00,61,00,76,00,6f,00,72,00,69,00,74,00,65,00,73,00,00,\
      00,40,73,68,65,6c,6c,33,32,2e,64,6c,6c,2c,2d,31,32,36,39,33,00,18,00,36,00,\
      31,00,00,00,00,00,ec,32,09,5b,10,00,4c,69,6e,6b,73,00,22,00,03,00,04,00,ef,\
      be,c6,32,e6,b0,fb,32,ab,41,14,00,00,00,4c,00,69,00,6e,00,6b,00,73,00,00,00,\
      14,00,00,00,60,00,00,00,03,00,00,a0,58,00,00,00,00,00,00,00,78,70,5f,70,72,\
      6f,66,31,30,38,5f,32,00,00,00,00,9e,55,bd,79,de,0e,76,45,89,4c,41,c2,e8,91,\
      9c,1b,dc,3b,e4,9c,70,d7,d9,11,a3,cf,00,0c,29,1b,5b,42,9e,55,bd,79,de,0e,76,\
      45,89,4c,41,c2,e8,91,9c,1b,dc,3b,e4,9c,70,d7,d9,11,a3,cf,00,0c,29,1b,5b,42,\
      00,00,00,00

– [HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
   Old value:
   • "ITBarLayout"=}"="%user defined settings%"
   New value:
   • "ITBarLayout"=hex:11,00,00,00,4c,00,00,00,00,00,00,00,34,00,00,00,1f,00,02,00,\
      6e,00,00,00,01,00,00,00,20,07,00,00,a0,0f,00,00,05,00,00,00,62,05,00,00,26,\
      00,00,00,02,00,00,00,21,07,00,00,a0,0f,00,00,04,00,00,00,21,01,00,00,a0,0f,\
      00,00,03,00,00,00,20,03,00,00,00,00,00,00,07,00,00,00,61,05,00,00,00,00,00,\
      00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
      00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
      00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
      00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
      00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
      00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
      00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
      00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,22,14,38,\
      eb,97,f7,98,4a,a2,66,9d,c4,90,82,19,07,00,00,00,00,00,00,00,00,00,00,00,00,\
      00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
      00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
      00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
      00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
      00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
      00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
      00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
      00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
      00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
      00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00

 File details Programming language:
The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • Nullsoft PiMP SFX

Description inserted by Catalin Jora on Tuesday, August 9, 2005
Description updated by Catalin Jora on Friday, August 26, 2005

Back . . . .