Browser Start Page Modifiers (Trojan.StartPage Family)

One of the best-known and most aggressive members of this family is, undoubtedly, Adware.Webalta.2 (according to Dr.Web’s classification). This piece of work is intended for viral advertising of webalta.ru, a Russian search engine, (we are happy to learn that, by now, this resource has fallen into decay and refuses to find whatsoever :))

The Trojan itself represents a simple executable file called ‘WebaltaService.exe’. It spreads by masquerading as all sorts of useful programs.

After being started, it creates the folder ‘WebaltaService’ in the directory %AppData%, saves itself into the newly created folder and registers as a registry service:

[HKLM\System\CurrentControlSet\Services\WebaltaService]
Description = Search Service
DisplayName="WebaltaService"
ImagePath= "%AppData%\WebaltaService\WebaltaService.exe -start"

All this program does is to modify the start page for ‘webalta.ru’ in all browsers installed within the system. It does this by making changes in the registry, browser configuration files and properties of shortcuts located on the desktop. At the same time, the running ‘webaltaservice.exe’ closely monitors all changes of the start page and, if necessary, restores it back to ‘webalta.ru’.

The junior relatives of Adware.Webalta.2 (for example, Trojan.StartPage.55558 or Trojan.StartPage.58232) are not so intrusive. When started, they simply modify the start page without embedding into the system. Trojan.StartPage.55558 would set some fake search engine like ‘ultimate-search.net’ as a start page, while Trojan.StartPage.58232 will bring on your start page ‘duba.com’, a Chinese news and entertainment portal.

The purpose of these programs is clear — to drum up the traffic to and promote some Internet resources.

Traffic Monetizers (Trojan.LoadMoney family)

In most cases, all members of this family originate out of some affiliate program aimed at monetizing the traffic for software installations.

In essence, these programs pay for downloading the additional software along with downloaded content. It works like this: the owner of some website with downloadable content changes the direct links to his content for the links provided by affiliate program which lead to a downloader. By clicking the link to desired content, the visitor downloads this program (which is identified by antivirus as unwanted software). When started, the downloader installs additional software along with downloadable content (usually, it’s a browser toolbar or the browser from some well-known Internet portal).

Usually, the downloader is digitally signed to avoid raising “unnecessary” questions among the visitors.

If you look at the data exchange between the downloader and server of affiliate program, you can see the identifier of partner in the affiliate program, name of affiliate program, name of downloaded file and the additional software that will be installed along with the downloaded content.

It is clear that the owners of affiliate programs are responsible only for their downloader while the content quality remains on the conscience of its owner. Although the terms of affiliate program provide for checking the entire content that goes through its server and blocking all suspicious content, the speed of this process leaves much to be desired. For example, I have seen several links that don’t lead to the requested file at all. However, they diligently install both the toolbar and browser. In other cases, the links led to a paid archive that allegedly would allow you to “reset the trial period for antivirus.” This means that a valid digital signature of downloader may serve a cover for easily bringing to your computer something bad.

Paid archives (Trojan.SMSSend family)

Surely, at least once in your life, you faced a situation when an archive with an extremely desired software or some other useful stuff which you had put so much effort to find in the vast cyberspace of the web at the end of its unpacking suddenly asks you to enter your phone number or send a mobile text message, to continue decompressing the archive.

This means that you have seen in action the affiliate programs aimed at making money on paid archives. These programs are represented, for example, by such services as ‘zipmonster.ru’ or ‘wizardpacker.com’.

In essence, these affiliate programs allow to make money by compressing the distributed content with an archiver provided by the affiliate program. This creates paid archives, and to unlock the access to such archive, the user must enter a code which he can receive in a text message that would debit a certain amount from his mobile phone account.
Usually, the antiviruses have a bad opinion of paid archives because, very often, such archives hide a dubious content.

Conclusion

The described programs do not destroy files, they do not steal credit cards and format your hard drive. Most antiviruses classify them as ‘unwanted software’ or ‘adware’, and some don’t even see anything wrong with them. However, as an old joke goes, “we found what we were looking for but I still have a bad feeling…”