Troj/StartPa-CF is a Trojan for the Windows platform.
When first run, Troj/StartPa-CF copies itself into the Windows folder using the names svchost.exe and setdbg.exe
In order to run on system start, the Trojan creates the following registry entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
svchost = <Windows folder>\svchost.exe
Troj/StartPa-CF sets several entries in the system registry in order to ensure that common web browsing software applications load a predefined web page on startup.
HKCU\Software\Microsoft\Internet Explorer\Main\Search Bar = <URL>
HKCU\Software\Microsoft\Internet Explorer\Main\Use Search Asst = no
HKLM\Software\Microsoft\Internet Explorer\Main\Search Bar = <URL>
HKLM\Software\Microsoft\Internet Explorer\Main\Use Search Asst = no
The Trojan may also create the following registry entries:
HKCR\PROTOCOLS\Handler\its\
CLSID0 = "(9D148291-B9C8-11D0-A4CC-0000F80149F6)"
HKCR\PROTOCOLS\Handler\mhtml\
CLSID0 = "(05300401-BCBC-11d0-85E3-00C04FD85AB4)"
HKCR\PROTOCOLS\Handler\ms-its\
CLSID0 = "(9D148291-B9C8-11D0-A4CC-0000F80149F6)"
Troj/StartPa-CF also hooks into the registry to run the Trojan every time a file is accessed with the EXE file extension:
HKCR\exefile\shell\open\command = "<Windows folder>\setdbg.exe %1 %*"
The Trojan then checks the name of each EXE file run for the substrings "iexplore.exe" or "opera.exe" and upon detection of either string, the Trojan will alter the command line to include a predefined URL.