Troj/CWS-E

Aliases	Trojan.Win32.StartPage.up StartPage-GL
Category	Viruses and Spyware
Type	Trojan
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


Affected operating systems	Windows
Characteristics	Drops more malware Installs itself in the registry
Included in our products from	April 2005 (3.92)
Protection available since	14 February 2005 21:47:39 (GMT)
Detected by	All Sophos products

Action

Summary
Action
More Information

Please follow the instructions for removing Trojans.

More Information

Summary
Action
More Information

Troj/CWS-E is a dropper Trojan for the Windows platform.

Troj/CWS-E will drop and register a DLL file named SEHLP.DLL, detected as Troj/CWS-C.

When first run, Troj/CWS-E will copy itself to the Windows system folder as CTFMON32.EXE and CSRSSU.EXE. In order to run automatically each time a user logs on, Troj/CWS-E will set the following registry entries:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
CTFMON32
<Windows system folder>\CTFMON32.EXE

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
CSRSSU
<Windows system folder>\CSRSSU.EXE

The following registry branches will also be created:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Browser Helper Objects\{3BA765C2-08DB-4fe2-9279-311CA10D582A}

HKCR\SEHLP.SEDP
HKCR\SEHLP.SEDP.1
HKCR\CLSID\{3BA765C2-08DB-4fe2-9279-311CA10D582A}
HKCR\Interface\{0B6EF17E-18E5-4449-86EA-64C82D596EAE}
HKCR\Interface\{B1E68D42-02C4-465B-8368-5ED9B732E22D}
HKCR\TypeLib\{670ED4EE-ADBA-47CB-A5AD-D53A9F7C3C94}
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\WTLBAstp
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\MSMsgSvc

For further information, see Troj/CWS-C.

Get reports about the latest virus and spyware threats delivered to your computer

In this section

Troj/CWS-E

Summary

Action

More Information