This page shows details and results of our analysis on the malware StartPage-EU


This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Minimum Engine


File Length


Description Added


Description Modified


Malware Proliferation


-- Update August 20, 2004 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:,10801,95387,00.html

This trojan modifies settings for Microsoft Internet Explorer.  When run, the trojan makes the following registry changes:

  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Customize Search" =
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Default_Search_URL" =
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Search Bar" =
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Local Page" =
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Search Page" =
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Start Page" =
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main "Default_Page_URL" =
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main "Default_Search_URL" =
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main "Local Page" =
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main "Search Page" =
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main "Start Page"  =
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search "CustomizeSearch"  =
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search "SearchAssistant"  =


Internet Explorer loading unexpected pages at startup and while searching.

Method of Infection

A hyperlink pointing to an infectious website was reportedly spammed to many users via AIM and ICQ on August 20, 2004.  Following that link, landed unsuspecting users on a page containing encoded Exploit-ObjectData trojan code, which loaded another page containing the Exploit-MhtRedir trojan.  The Exploit-MhtRedir trojan  referenced a CHM file containing the Exploit-CodeBase trojan , which installed the StartPage-EU trojan on vulnerable systems.


All Users :
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations