high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Characteristics |
|
| Protection available since | 23 August 2004 13:57:50 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
You will also need to edit the following registry entries, if present. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_CLASSES_ROOT entry:
Typically an unaltered registry entry will be set to
HKCR\exefile\shell\open\command\(default) = "%1" %*
the altered registry entry will be
HKCR\exefile\shell\open\command = "<Windows folder>\setdbg.exe %1 %*"
delete only the path to the worm. Do not delete anything else.
Locate the HKEY_LOCAL_MACHINE entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
svchost = <Windows folder>\svchost.exe
and delete it if it exists.
Close the registry editor.
You should also change your Internet Explorer settings using Tools|Internet options|General to remove any modifications made by the Trojan.
More Information
Troj/StartPa-CF is a Trojan for the Windows platform.
When first run, Troj/StartPa-CF copies itself into the Windows folder using the names svchost.exe and setdbg.exe
In order to run on system start, the Trojan creates the following registry entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
svchost = <Windows folder>\svchost.exe
Troj/StartPa-CF sets several entries in the system registry in order to ensure that common web browsing software applications load a predefined web page on startup.
HKCU\Software\Microsoft\Internet Explorer\Main\Search Bar = <URL>
HKCU\Software\Microsoft\Internet Explorer\Main\Use Search Asst = no
HKLM\Software\Microsoft\Internet Explorer\Main\Search Bar = <URL>
HKLM\Software\Microsoft\Internet Explorer\Main\Use Search Asst = no
The Trojan may also create the following registry entries:
HKCR\PROTOCOLS\Handler\its\
CLSID0 = "(9D148291-B9C8-11D0-A4CC-0000F80149F6)"
HKCR\PROTOCOLS\Handler\mhtml\
CLSID0 = "(05300401-BCBC-11d0-85E3-00C04FD85AB4)"
HKCR\PROTOCOLS\Handler\ms-its\
CLSID0 = "(9D148291-B9C8-11D0-A4CC-0000F80149F6)"
Troj/StartPa-CF also hooks into the registry to run the Trojan every time a file is accessed with the EXE file extension:
HKCR\exefile\shell\open\command = "<Windows folder>\setdbg.exe %1 %*"
The Trojan then checks the name of each EXE file run for the substrings "iexplore.exe" or "opera.exe" and upon detection of either string, the Trojan will alter the command line to include a predefined URL.
|
