StartPage-EU

This page shows details and results of our analysis on the malware StartPage-EU

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.


Minimum Engine

5600.1067

File Length

Varies

Description Added

2004-08-20

Description Modified

2006-01-12

Malware Proliferation

Characteristics

-- Update August 20, 2004 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.computerworld.com/securitytopics/security/virus/story/0,10801,95387,00.html

This trojan modifies settings for Microsoft Internet Explorer.  When run, the trojan makes the following registry changes:

  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Customize Search" = http://targetsearch.info
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Default_Search_URL" = http://targetsearch.info
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Search Bar" = http://targetsearch.info
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Local Page" = http://targetsearch.info
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Search Page" = http://targetsearch.info
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Start Page" = http://targetsearch.info
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main "Default_Page_URL" = http://targetsearch.info
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main "Default_Search_URL" = http://targetsearch.info
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main "Local Page" = http://targetsearch.info
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main "Search Page" = http://targetsearch.info
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main "Start Page"  = http://targetsearch.info
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search "CustomizeSearch"  = http://targetsearch.info/left.php
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search "SearchAssistant"  = http://targetsearch.info/left.php

Symptoms

Internet Explorer loading unexpected pages at startup and while searching.

Method of Infection

A hyperlink pointing to an infectious website was reportedly spammed to many users via AIM and ICQ on August 20, 2004.  Following that link, landed unsuspecting users on a page containing encoded Exploit-ObjectData trojan code, which loaded another page containing the Exploit-MhtRedir trojan.  The Exploit-MhtRedir trojan  referenced a CHM file containing the Exploit-CodeBase trojan , which installed the StartPage-EU trojan on vulnerable systems.

Removal

All Users :
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants