McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
Business Home McAfee Labs Threat Intelligence

StartPage-JP

This page shows details and results of our analysis on the malware StartPage-JP

Threat Detail

Malware Type: Trojan

Malware Sub-type: StartPage

Discovery Date: 2006-09-07

Next Steps:

Overview

StartPage-JP is a trojan which modifies Internet Explorer's startpage settings and automatically opens Internet Explorer windows to display websites of its choice.


Minimum DAT

4847 (2006-09-07)

Updated DAT

4951 (2007-01-29)

 Minimum Engine

5.1.00

File Length

N/A

 Description Added

2006-09-07

Description Modified

2006-09-07

Malware Proliferation

Characteristics

StartPage-JP is a trojan which modifies Internet Explorer's startpage and also automatically opens Internet Explorer windows to display websites of its choice.

This trojan does not set the startpage to a prespecified value embedded in trojan's code, rather it downloads a configuration file from:

    • http://www.kan911.com/popad[REMOVED]

This configuration file tells the trojan the website to be set as Internet Explorer's default startpage. This file also contains the list of websites that need to be displayed by automatically popping up Internet Explorer windows. The time interval between popups and window title are controlled using this configuration file too.

At the time of wrting this document, startpage was being set to:

    • http://www.7651.cn

And the trojan could automatically display the following websites:

    • http://www.7651.cn 
    • http://www.kan911.com
    • http://www.tomad.cn

On execution the trojan copies itself to %WINDIR% as rundll32.exe. A run registry entry is created, so that the trojan runs on every system startup.

    • hkey_current_user\software\microsoft\windows\currentversion\run\sys001="%WINDIR%\rundll32.exe"

 

Symptoms

Modified default start page in the Internet Explorer and presence of above mentioned file and registry values. Internet Explorer windows automatically popping up to display various websites.

 

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

Removal

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore .

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

1. Please go to the Microsoft Recovery Console and restore a clean MBR.

On windows XP:

Insert the Windows XP CD into the CD-ROM drive and restart the computer.
When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
Select the Windows installation that is compromised and provide the administrator password
Issue 'fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.


On Windows Vista and 7:

Insert the Windows CD into the CD-ROM drive and restart the computer.
Click on "Repair Your Computer"
When the System Recovery Options dialog comes up, choose the Command Prompt.
Issue 'bootrec /fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.

Variants

United States - English