Troj/StartPa-CT

Aliases	StartPage-CT
Category	Viruses and Spyware
Type	Trojan
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Sophos beta program
Register now for our latest beta tests

Troj/StartPa-CT attempts to change settings for Microsoft Internet Explorer by
setting the following registry entries:

HKCU\Software\Microsoft\Internet Explorer\Main\
Window Title="<non-roman characters> http://www.v127.com"

HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\
HomePage=dword:00000001

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\
Window Title="<non-roman characters> http://www.v127.com"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Winlogon\
LegalNoticeCaption="<non-roman characters>"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Winlogon\
LegalNoticeText="http://www.v127.com"

HKCU\Software\Microsoft\Internet Explorer\Main\
Start Page="http://www.v127.com"

Troj/StartPa-CT copies itself to the windows folder as hws.exe

Troj/StartPa-CT set the following registry entries to enable itself to be run on Windows startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
hws="<windows folder>\hws.exe"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
hws="<windows folder>\hws.exe"

The Trojan also sets a registry entry to launch Internet Explorer
on Windows startup, pointing to the following url:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
url="http://www.v127.com"

Troj/StartPa-CT disables access to regedit by setting the folloing entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\
DisableRegistryTools=dword:00000001

Several security and anti-virus related processes are terminated.

Get reports about the latest virus and spyware threats delivered to your computer