Troj/StartPa-EG

Category	Viruses and Spyware
Type	Trojan
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


Affected operating systems	Windows
Characteristics	Installs itself in the registry
Included in our products from	February 2005 (3.90)
Protection available since	7 January 2005 13:26:41 (GMT)
Detected by	All Sophos products

Action

Summary
Action
More Information

Please follow the instructions for removing Trojans.

You should also check your Internet Explorer settings using Tools|Internet options|General for any modifications made by the Trojan.

More Information

Summary
Action
More Information

Troj/StartPa-EG is a Trojan that changes default Internet Explorer settings by modifying related registry entries.

Troj/StartPa-EG may drop the file sp.html in the temp folder along with randomly-named DLL files in the default system folder.

The Trojan creates or modifies the following IE registry entries:

HKCU\Software\Microsoft\Internet Explorer\Main\
HOMEOldSP
"about:blank"

HKCU\Software\Microsoft\Internet Explorer\Main\
Search Bar
"file://C:\DOCUME~1\REPCLI~1\LOCALS~1\Temp\sp.html"

HKCU\Software\Microsoft\Internet Explorer\Main\
Use Custom Search URL
dword:00000001

HKCU\Software\Microsoft\Internet Explorer\Search\
SearchAssistant
"file://C:\DOCUME~1\REPCLI~1\lOCALS~1\Temp\sp.html"

HKCR\CLSID\(<RNG-ID-2>)\InProcServer32\
@
"C:\WINDOWS\System32\<file.dll>"

HKCR\CLSID\(<RNG-ID-2>)\InProcServer32\
ThreadingModel
"Apartment"

HKCR\CLSID\(<RNG-ID-1>)\InProcServer32\
@
"C:\WINDOWS\System32\<file.dll>"

HKCR\CLSID\(<RNG-ID-1>)\InProcServer32\
ThreadingModel
"Apartment"

HKCR\PROTOCOLS\Filter\text/html\
CLSID
"{2AD9F4B1-191B-47D1-84A5-D82906B77B22}"

HKCR\PROTOCOLS\Filter\text/plain\
CLSID
"{2AD9F4B1-191B-47D1-84A5-D82906B77B22}"

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\
HOMEOldSP
"about:blank"

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\
Use Search Asst
"no"

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\
Use Custom Search URL
dword:00000001

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
\SearchAssistant Uninstall\
DisplayName
"Search Assistant Uninstall"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
\SearchAssistant Uninstall\
UninstallString
"regsvr32 /s /u C:\WINDOWs\System32\"

HKCU\Software\Microsoft\Internet Explorer\Main\
Search Page
"file://C:\DOCUME~1\REPCLI~1\LOCALS~1\Temp\sp.html"

HKCU\Software\Microsoft\Internet Explorer\Main\
Start Page
"about:blank"

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\
Search Bar
"file://C:\DOCUME~1\REPCLI~1\LOCALS~1\Temp\sp.html"

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\
Search Page
"file://C:\DOCUME~1\REPCLI~1\LOCALS~1\Temp\sp.html"

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\
Start Page
"about:blank"

HKLM\SOFTWARE\Microsoft\Internet Explorer\Search\
SearchAssistant
"file://C:\DOCUME~1\REPCLI~1\LOCALS~1\Temp\sp.html"

where <RNG-ID-1> and <RNG-ID-2> are seemingly random ID strings
that are unique to the infected machine and <file.dll> is the name of the dropped DLL file.

Get reports about the latest virus and spyware threats delivered to your computer

In this section

Troj/StartPa-EG

Summary

Action

More Information