high
Summary
Summary
Action- More Information
| Protection available since | 6 May 2004 12:37:58 (GMT) |
|---|---|
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
Please contact technical support.
More Information
Troj/StartPa-CT attempts to change settings for Microsoft Internet Explorer by
setting the following registry entries:
HKCU\Software\Microsoft\Internet Explorer\Main\
Window Title="<non-roman characters> http://www.v127.com"
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\
HomePage=dword:00000001
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\
Window Title="<non-roman characters> http://www.v127.com"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Winlogon\
LegalNoticeCaption="<non-roman characters>"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Winlogon\
LegalNoticeText="http://www.v127.com"
HKCU\Software\Microsoft\Internet Explorer\Main\
Start Page="http://www.v127.com"
Troj/StartPa-CT copies itself to the windows folder as hws.exe
Troj/StartPa-CT set the following registry entries to enable itself to be run on Windows startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
hws="<windows folder>\hws.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
hws="<windows folder>\hws.exe"
The Trojan also sets a registry entry to launch Internet Explorer
on Windows startup, pointing to the following url:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
url="http://www.v127.com"
Troj/StartPa-CT disables access to regedit by setting the folloing entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\
DisableRegistryTools=dword:00000001
Several security and anti-virus related processes are terminated.
|
