Troj/StartP-Z is a Trojan for the Windows platform.
Troj/StartP-Z includes functionality to access the internet and communicate with a remote server via HTTP.
When Troj/StartP-Z is installed the following files are created:
<Temp>\nst3.tmp\registry.dll
<Program Files>\winvi\Uninst.exe
<Program Files>\winvi\dsktp\AC_RunActiveContent.js
<Program Files>\winvi\dsktp\desktop.html
<Program Files>\winvi\dsktp\internetDetection.swf
<Program Files>\winvi\dsktp\settings.sol
<Program Files>\winvi\update.exe
<Program Files>\winvi\version.ini
<Program Files>\winvi\wupda.exe
The following registry entries are created to run update.exe and wupda.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
WinUpdater
<Program Files>\winvi\update.exe" /background
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
WebSUpdater
<Program Files>\winvi\wupda.exe" /background
Troj/StartP-Z changes settings for Microsoft Internet Explorer by modifying values under:
HKCU\Software\Microsoft\Internet Explorer\Main\Start Page
Registry entries are set as follows:
HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN
iexplore.exe
0
HKCU\Software\Microsoft\Internet Explorer\PhishingFilter
Enabled
0
HKLM\SOFTWARE\Microsoft\Internet Explorer\Desktop\General
WallpaperFileTime
<value>
HKLM\SOFTWARE\Microsoft\Internet Explorer\Desktop\General
WallpaperLocalFileTime
<value>
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop
NoAddingComponents
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop
NoEditingComponents
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop
NoChangingWallpaper
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
ForceActiveDesktopOn
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop
NoAddingComponents
0
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop
NoDeletingComponents
0
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop
NoEditingComponents
0
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop
NoChangingWallpaper
0
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop
NoActiveDesktopChanges
1
HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions
NoPopupManagement
0
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Restrictions
NoAddingComponents
0
HKCU\Software\Microsoft\Internet Explorer\Desktop\General
BackupWallpaper
<Program Files>\winvi\dsktp\desktop.html
HKCU\Software\Microsoft\Internet Explorer\Desktop\General
ComponentsPositioned
2
HKCU\Software\Microsoft\Internet Explorer\Desktop\General
Wallpaper
<Program Files>\winvi\dsktp\desktop.html
HKCU\Software\Microsoft\Internet Explorer\Desktop\General
WallpaperFileTime
<value>
HKCU\Software\Microsoft\Internet Explorer\Desktop\General
WallpaperLocalFileTime
<value>
HKCU\Software\Microsoft\Internet Explorer\Desktop\SafeMode\General
Wallpaper
<Program Files>\winvi\dsktp\desktop.html
Registry entries are created under:
HKCU\Control Panel\desktop
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\winvi
HKCU\Software\winvi
Troj/StartP-Z provides an uninstall option which can be accessed via the Add or Remove Programs dialog in the Windows Control Panel. The software is listed as "winvi (remove only) ".