Troj/StartPa-DW is a Trojan for the Windows platform.
Troj/StartPa-DW will change the Start and Search pages of Internet Explorer.
Troj/StartPa-DW will also attempt to download and run files.
When run, Troj/StartPa-DW will drop the files BANEF.GIF and BLANK.HTM into the Windows folder. These files are used by the Trojan to display the replacement Start and Search pages and can be deleted.
Troj/StartPa-DW is installed as a Browser Help Object (BHO). In order to run automatically each time Internet Explorer is started, the Trojan will set the following registry entries:
HKCR\CLSID\(B72F75B8-93F3-429D-B13E-660B206D897A)\InProcServer32
Default
<SYSTEM>\bphk.dll
HKCR\CLSID\(B72F75B8-93F3-429D-B13E-660B206D897A)\InProcServer32
ThreadingModel
Apartment
and create the following registry branch:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Browser Helper Objects\(B72F75B8-93F3-429D-B13E-660B206D897A)
Troj/StartPa-DW will associate itself with HTML and plain text files by setting the following registry entries:
HKCR\PROTOCOLS\Filter\text/html
CLSID
(B72F75B8-93F3-429D-B13E-660B206D897A)
HKCR\PROTOCOLS\Filter\text/plain
CLSID
(B72F75B8-93F3-429D-B13E-660B206D897A)
Troj/StartPa-DW will modify the following registry entry in order to replace the Search page:
HKCU\Software\Microsoft\Internet Explorer\Main
Search Page
<WINDOWS>\blank.htm
The Trojan is capable of modifying the following registry entry in order to replace the Start page:
HKCU\Software\Microsoft\Internet Explorer\Main
Start Page
<URL>
Note that the BHO component of the Trojan will hijack the Start page regardless of the previous registry entry.