Troj/StartPa-BR

Category	Viruses and Spyware
Type	Trojan
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


Protection available since	7 July 2004 13:05:31 (GMT)
Last updated	6 September 2004 10:56:42 (GMT)
Detected by	All Sophos products

Free virus scan
Download the Threat Detection Test

Free virus, spyware, and adware scan
Test your existing anti-virus protection
Find threats your anti-virus missed

Action

Summary
Action
More Information

Please follow the instructions for removing Trojans.

You should also change your Internet Explorer settings using Tools|Internet options|General to remove any modifications made by the Trojan.

Replace the Hosts file from a backup or edit it in Notepad to remove the changes that the Trojan has made.

Windows NT/2000/XP/2003

In Windows NT/2000/XP/2003 you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
winupd = C:\\WINDOWS\\System32\\winupd.exe

and delete it if it exists.

Close the registry editor.

More Information

Summary
Action
More Information

Troj/StartPa-BR is a simple Trojan that makes changes to internet explorer settings via the registry and modifies the hosts files. Troj/StartPa-BR is a simple Trojan that makes changes to internet explorer settings via the registry and modifies the hosts files.

Troj/StartPa-BR will also drop the following files into the Favourites folder:

My Search Page.url
Weekend Free Movies.url

Troj/StartPa-BR creates the following registry entry to ensure the Trojan is run during windows logon:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
winupd = C:\WINDOWS\System32\winupd.exe

Troj/StartPa-BR creates the following registry entries to hijack Microsoft's Internet Explorer:

HKCU\Software\Microsoft\Internet Explorer\
SearchURL = http://dka.directwebsearch.net/search.php

HKCU\Software\Microsoft\Internet Explorer\
Search = http://dka.directwebsearch.net/search.php

HKCU\Software\Microsoft\Internet Explorer\Main\
Search Bar = http://dka.directwebsearch.net/search.php

HKCU\Software\Microsoft\Internet Explorer\Main\
Default_Search_URL = http://dka.directwebsearch.net/search.php

HKCU\Software\Microsoft\Internet Explorer\Search\
SearchAssistant = http://dka.directwebsearch.net/search.php

HKCU\Software\Microsoft\Internet Explorer\Search\
CustomizeSearch = http://dka.directwebsearch.net/search.php

HKLM\SOFTWARE\Microsoft\Internet Explorer\
SearchURL = http://dka.directwebsearch.net/search.php

HKLM\SOFTWARE\Microsoft\Internet Explorer\
Search = http://dka.directwebsearch.net/search.php

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\
Search Bar = http://dka.directwebsearch.net/search.php

Troj/StartPa-BR modifies the following registry entries to hijack Microsoft's Internet Explorer:

HKCU\Software\Microsoft\Internet Explorer\Main\
Search Page = http://dka.directwebsearch.net/search.php

HKCU\Software\Microsoft\Internet Explorer\Main\
Start Page = http://dka.directwebsearch.net/index.php

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\
Default_Search_URL = http://dka.directwebsearch.net/search.php

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\
Search Page= http://dka.directwebsearch.net/search.php

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\
Start Page = http://dka.directwebsearch.net/index.php

HKLM\SOFTWARE\Microsoft\Internet Explorer\Search\
CustomizeSearch = http://dka.directwebsearch.net/search.php

HKLM\SOFTWARE\Microsoft\Internet Explorer\Search\
SearchAssistant = http://dka.directwebsearch.net/search.php

Troj/StartPa-BR modifies the Hosts file in <Windows>\<system>\drivers\etc
so that attempts to connect to auto.search.msn.com will be redirected to another IP adress with the following:

69.31.79.187 auto.search.msn.com

Troj/StartPa-BR may arrive on the computer by opening HTML pages that exploit vulnerabilities associated with certain versions of Microsoft Internet Explorer.

Such HTML pages will contain a SRC= link to a compiled HTML help file containing the Troj/StartPa-BR executable and a HTML page capable of launching the Troj/StartPa-BR executable via the CODEBASE vulnerability associated with Internet Explorer. For example a HTML page may contain:

SRC='http://unknown.com/111.chm::/q.htm

where 111.chm is a compiled HTML help file (detected as Troj/StartPa-BR) containing q.htm and the Troj/StartPa-BR executable and q.htm (detected as Troj/Codebase-C) is a HTML file which exploits the CODEBASE vulnerability to run the Troj/StartPa-BR executable.

Get reports about the latest virus and spyware threats delivered to your computer

In this section

Troj/StartPa-BR

Summary

Action

More Information