Subscriptions | RSS Feeds | Discussions | Polls | Site Map




All Threats

Viruses

Hackers

Spam
Whole site    Viruses
  
Virus Encyclopedia
Riskware
Alerts
Analysis
News
Glossary
Weblog


Malware Environment
Malware Descriptions
Who Creates Malware
History of Malware
Malware Trends
If Your Computer Is Infected

 
Malware Description Search

 

  Home / Viruses / Virus Encyclopedia / Malware Descriptions / Trojan Programs / General Trojans

Trojan.Win32.StartPage.jo

Other versions: .a, .au, .bh, .dh, .dz, .ej, .es, .fc, .fg, .gj, .gp, .oz, .pk, .vk, .wd

Aliases
Trojan.Win32.StartPage.jo (Kaspersky Lab) is also known as: StartPage-AI.gen (McAfee),   Trojan.StartPage (Symantec),   Trojan.StartPage.350 (Doctor Web),   Trojan:Win32/StartPage.EZ (RAV),   TROJ_STARTPAG.JO (Trend Micro),   TR/OLCheck.2 (H+BEDV),   Win32:Trojan-gen. (ALWIL),   Startpage.6.AR (Grisoft),   Trojan.StartPage.EZ (SOFTWIN),   Trojan.Startpage.gen-11 (ClamAV),   Trj/StartPage.HE (Panda),   Win32/StartPage.JO (Eset)
Description added Nov 23 2007
Behavior Trojan

Technical details

This Trojan has a malicious payload. It is a Windows PE EXE file. It is 11776 bytes in size. It is packed using UPX. The unpacked file is approximately 48KB in size. It is written in Delphi.

Payload

Once launched, the Trojan will:

  1. modify the following system registry key values:
    [HKCU\Software\Microsoft\Internet Explorer\Main]
    "Start Page" = "http://www.find-online.net/index.htm"
    [HKCU\Software\Microsoft\Internet Explorer\Main]
    "Use Search Asst" = "yes"
    [HKCU\Software\Microsoft\Internet Explorer\Main]
    "Search Page" = "http://www.find-online.net/index.htm"
    [HKCU\Software\Microsoft\Internet Explorer\Main]
    "Search Bar" = "http://www.find-online.net/sp.htm"
    [HKCU\Software\Microsoft\Internet Explorer\SearchURL]
    "Default" = "http://www.find-online.net/index.htm"
    [HKCU\Software\Microsoft\Internet Explorer\SearchURL]
    "provider" = "gog1"
    [HKLM\Software\Microsoft\Internet Explorer\Search]
    "SearchAssistant" = "http://www.find-online.net/sp.htm"

    These changes modify the configuration of Internet Explorer.

  2. create the following registry key:
    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "ziphelp" = "%WinDir%\ziphelp.exe"

    This will cause "%WinDir%\ziphelp.exe" to be launched each time the system is started, assuming that such a file is present on the victim machine

  3. create the following shortcuts in the current user's Favorites folder:
    %USERPROFILE%\Favorites\FINDONLINE.net
    %USERPROFILE%\Favorites\Free PORN Ezines
    %USERPROFILE%\Favorites\Free PORN Tickets
    %USERPROFILE%\Favorites\PORN FINDONLINE.net
    %USERPROFILE%\Favorites\Adult\Breast Enlargement Pills
    %USERPROFILE%\Favorites\Adult\Penis Enlargement Pills
    %USERPROFILE%\Favorites\Adult\
    %USERPROFILE%\Favorites\Adult\Sex Toys
    %USERPROFILE%\Favorites\Adult\Sexual Enhancers
    %USERPROFILE%\Favorites\Adult\Single Girls
    %USERPROFILE%\Favorites\Adult\Swinger Clubs
    %USERPROFILE%\Favorites\Health\Fitness
    %USERPROFILE%\Favorites\Health\Human Growth Hormone
    %USERPROFILE%\Favorites\Health\Men Health
    %USERPROFILE%\Favorites\Health\Weight Loss
    %USERPROFILE%\Favorites\Health\Women Health
    %USERPROFILE%\Favorites\Insurance\Auto Insurance
    %USERPROFILE%\Favorites\Insurance\Business Insurance
    %USERPROFILE%\Favorites\Insurance\Health Insurance
    %USERPROFILE%\Favorites\Insurance\Home Insurance
    %USERPROFILE%\Favorites\Insurance\Travel Insurance
    %USERPROFILE%\Favorites\Internet\Antivirus
    %USERPROFILE%\Favorites\Internet\Internet Businesses
    %USERPROFILE%\Favorites\Internet\Spyware Remover
    %USERPROFILE%\Favorites\Internet\Web Hosting
    %USERPROFILE%\Favorites\Internet\Web Site Design
    %USERPROFILE%\Favorites\Online Games\Black Jack
    %USERPROFILE%\Favorites\Online Games\Craps
    %USERPROFILE%\Favorites\Online Games\Online Casinos
    %USERPROFILE%\Favorites\Online Games\Poker
    %USERPROFILE%\Favorites\Online Games\Roulette
    %USERPROFILE%\Favorites\Online Pharmacy\Hydrocodone
    %USERPROFILE%\Favorites\Online Pharmacy\Online Pharmacy
    %USERPROFILE%\Favorites\Online Pharmacy\Prozac
    %USERPROFILE%\Favorites\Online Pharmacy\Valium
    %USERPROFILE%\Favorites\Online Pharmacy\Viagra Online

    The Trojan then ceases running.

    Removal instructions

    If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

    1. Use Task Manager to terminate the Trojan process.
    2. Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
    3. Revert the following system registry key values:
      [HKCU\Software\Microsoft\Internet Explorer\Main]
      "Start Page" = "http://www.find-online.net/index.htm"
      [HKCU\Software\Microsoft\Internet Explorer\Main]
      "Use Search Asst" = "yes"
      [HKCU\Software\Microsoft\Internet Explorer\Main]
      "Search Page" = "http://www.find-online.net/index.htm"
      [HKCU\Software\Microsoft\Internet Explorer\Main]
      "Search Bar" = "http://www.find-online.net/sp.htm"
      [HKCU\Software\Microsoft\Internet Explorer\SearchURL]
      "Default" = "http://www.find-online.net/index.htm"
      [HKCU\Software\Microsoft\Internet Explorer\SearchURL]
      "provider" = "gog1"
      [HKLM\Software\Microsoft\Internet Explorer\Search]
      "SearchAssistant" = "http://www.find-online.net/sp.htm"
    4. Delete the following registry key:
      [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
      "ziphelp" = "%WinDir%\ziphelp.exe"
    5. Delete all shortcuts created by the Trojan.
      %USERPROFILE%\Favorites\FINDONLINE.net
      %USERPROFILE%\Favorites\Free PORN Ezines
      %USERPROFILE%\Favorites\Free PORN Tickets
      %USERPROFILE%\Favorites\PORN FINDONLINE.net
      %USERPROFILE%\Favorites\Adult\Breast Enlargement Pills
      %USERPROFILE%\Favorites\Adult\Penis Enlargement Pills
      %USERPROFILE%\Favorites\Adult\
      %USERPROFILE%\Favorites\Adult\Sex Toys
      %USERPROFILE%\Favorites\Adult\Sexual Enhancers
      %USERPROFILE%\Favorites\Adult\Single Girls
      %USERPROFILE%\Favorites\Adult\Swinger Clubs
      %USERPROFILE%\Favorites\Health\Fitness
      %USERPROFILE%\Favorites\Health\Human Growth Hormone
      %USERPROFILE%\Favorites\Health\Men Health
      %USERPROFILE%\Favorites\Health\Weight Loss
      %USERPROFILE%\Favorites\Health\Women Health
      %USERPROFILE%\Favorites\Insurance\Auto Insurance
      %USERPROFILE%\Favorites\Insurance\Business Insurance
      %USERPROFILE%\Favorites\Insurance\Health Insurance
      %USERPROFILE%\Favorites\Insurance\Home Insurance
      %USERPROFILE%\Favorites\Insurance\Travel Insurance
      %USERPROFILE%\Favorites\Internet\Antivirus
      %USERPROFILE%\Favorites\Internet\Internet Businesses
      %USERPROFILE%\Favorites\Internet\Spyware Remover
      %USERPROFILE%\Favorites\Internet\Web Hosting
      %USERPROFILE%\Favorites\Internet\Web Site Design
      %USERPROFILE%\Favorites\Online Games\Black Jack
      %USERPROFILE%\Favorites\Online Games\Craps
      %USERPROFILE%\Favorites\Online Games\Online Casinos
      %USERPROFILE%\Favorites\Online Games\Poker
      %USERPROFILE%\Favorites\Online Games\Roulette
      %USERPROFILE%\Favorites\Online Pharmacy\Hydrocodone
      %USERPROFILE%\Favorites\Online Pharmacy\Online Pharmacy
      %USERPROFILE%\Favorites\Online Pharmacy\Prozac
      %USERPROFILE%\Favorites\Online Pharmacy\Valium
      %USERPROFILE%\Favorites\Online Pharmacy\Viagra Online
    6. Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).
 

Copyright © 1996 - 2010
Kaspersky Lab
Industry-leading Antivirus Software
All rights reserved
 

Email: webmaster@viruslist.com