Troj/Chorus-A is a Start Page Trojan.
When first run Troj/Chorus-A copies itself to:
<Windows folder>\htmlsync.exe
<Windows system folder>\isystem.exe
<Windows system folder>\ldriver.exe
<Windows folder>\zlibc.exe
and creates the following files internet shortcut files:
<Favorites>\Car Insurance ! Great deal !.url
<Favorites>\Online Pharmacy.url
<Favorites>\Viagra At Cheap Rates. Online Pharmacy..url
<Favorites>\Your Computer maybe infected by Spyware ! Remove It !.url
The following registry entries are created to run htmlsync.exe, isystem.exe, ldriver.exe and zlibc.exe on startup:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
run
<Windows folder>\htmlsync.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
run
<Windows folder>\zlibc.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
ldriver
<Windows system folder>\ldriver.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
isystem
<Windows system folder>\isystem.exe
Troj/Chorus-A changes settings for Microsoft Internet Explorer, including Start Page and search settings, by modifying values under:
HKCU\Software\Microsoft\Internet Explorer\SearchURL
HKCU\Software\Microsoft\Internet Explorer\Main\
HKCU\Software\Microsoft\Internet Explorer\Main\Search Bar
HKCU\Software\Microsoft\Internet Explorer\Main\Search Page
HKCU\Software\Microsoft\Internet Explorer\Main\Start Page
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Page_URL
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Search_URL
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page
HKLM\SOFTWARE\Microsoft\Internet Explorer\Search\