Startpage-trojans List

Jahewi's Anti-Malware Information
StartPage-trojans List

Troj/Startpage.A

Sophos okt 14 2003

%Windows%\SVCHOST.EXE

It creates the following autostart-entry in the registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ svchost = %WINDOWS%\SVCHOST.EXE
Modifies browser-properties of IE in these registry-entries:
HKCU\Software\Microsoft\Internet Explorer\Main\Start Page
HKCU\Software\Microsoft\Internet Explorer\Main\Use Search Asst
HKCU\Software\Microsoft\Internet Explorer\Main\Search Page
HKCU\Software\Microsoft\Internet Explorer\Main\Search Bar
HKCU\Software\Microsoft\Internet Explorer\SearchURL\(Default)
HKCU\Software\Microsoft\Internet Explorer\SearchURL\provider
HKLM\Software\Microsoft\Internet Explorer\Search\SearchAssistant
Adds the following links to the favorites-folder:

FREE HIDDEN CAMS, WORLD FREE SPY CAM, FREE WEB CAMS, CHATS GET THIS 4 FREE

Troj_Startpage.A

Trend Micro okt 14 2003

Download.Trojan, JS.CSSPopup.C, Troj/StartPa-B, TrojanDownloader:Win32/Agent.FW, Win32/Startpage.JH!Trojan

C:\Program Files\registry.exe

Adds a autostart-entry to the registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run http load = "C:\Program Files\registry.exe"
Hijacks the IE homepage, using the following register-entry:
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main Start Page = http://www.coo***gt.com"

Reg_Startpage.A

Trend Micro may 12, 2002

Troj/WinREG, TROJAN.WINREG.START, Reg/Startpage.Trojan, REG.Startpage, Trojan.WinREG.StartPage

%system%\folder\ rad36656.tmp

Adds a autostart-entry to the registry:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OPQFile =

"C:\WINDOWS\regedit.exe /s C:\WINDOWS\SYSTEM\rad36656.tmp"

Uses the registry-scriptfile rad36656.tmp to change the homepage and search-functions of IE to either http://www.allcybersearch.com/ie/, http://www.mycpworld.com, http://www.chil***aysite.com or http://www.topsearcher.com/ie by modification of these registry-entries:

HKCU\Software\Microsoft\Internet Explorer\)SearchURL

HKCU\Software\Microsoft\Internet Explorer\Main\Default_Search_URL

HKCU\Software\Microsoft\Internet Explorer\Main\Search Page

HKCU\Software\Microsoft\Internet Explorer\Main\Search Bar

HKCU\Software\Microsoft\Internet Explorer\Main\SearchURL

HKCU\Software\Microsoft\Internet Explorer\Main\Search\Search Assistant

HKCU\Software\Microsoft\Internet Explorer\Main\Search\CustomizeSearch

HKLM\Software\Microsoft\Internet Explorer\Search\Search Assistant

HKLM\Software\Microsoft\Internet Explorer\Search\CustomizeSearch

HKLM\Software\Microsoft\Internet Explorer\Search\Search Page

HKLM\Software\Microsoft\Internet Explorer\Search\Search Bar

HKLM\Software\Microsoft\Internet Explorer\Search\Search URL
HKU\.Default\Software\Microsoft\Internet Explorer\SearchURL

HKLM\Software\Microsoft\Internet Explorer\Search\Main\Search Page

HKLM\Software\Microsoft\Internet Explorer\Search\Main\Default_Search_URL

HKLM\Software\Microsoft\Internet Explorer\Search\Main\Search Bar

HKLM\Software\Microsoft\Internet Explorer\Search\Main\Search Assistant

Java_Startpage.A

Trend Micro dec 27 2003

JavaScript-file. Hijacks IE's homepage and point it to URL http://solongas.com/main/sp.php.
Downloads Troj_Tooncom.I, a Downloader-trojan that contacts a certain site to download other malware.

Trojan.Win32.Startpage.AA

Computer Associates sep 2003

Adware/Surfbar

surferbar.dll

Troj_Startpage.AK

Trend Micro 19 okt 2004

Troj/Startpa-CH, StartPage-FF

PORTAL.REG

X.BAT

X.HTML

Uses Reg_Startpage.G to hijack IE

Trojan.Win32.Startpage.AM

Computer Associates May, 2004

Trj/Tofger.J, Win32.Startpage.AI, Win32/StartPage.6656!Trojan

trojan.win32.startpage.am.exe

Trojan.Win32.Startpage.AQ

Computer Associates jan2 2004

rundll32.exe

Troj_Startpage.AX

McAfee dec 1, 2004

TROJ_STARTPAGE.F, Trojan.Bookmarker.B, Trojan.Win32.StartPage.au

%SysDir%\CTRLPAN.DLL

%WinDir%\HH.HTT

The trojan is dropped into as %SysDir%\CTRLPAN.DLL, with hidden attribute, by a dropper-trojan and installed onto the system.
This non-replicating trojan usually arrives thru peer-to-peer networks and IRC-channels.
After installation the startpage-trojan adds a registry key such that the DLL is loaded by other processes running on the victim machine:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows "AppInit_DLLs" = ctrlpan.dll
The Stylesheet-file %WinDir%\HH.HTT is being dropped , wich contains script wich intends to launch the URL http://aifind.info/adult.htm
The following Registry keys are added in order to load the above file as an Internet Explorer style sheet:
HKLM\SOFTWARE\Microsoft\Internet Explorer\Styles "Use My Stylesheet" = 01, 00, 00, 00
HKLM\SOFTWARE\Microsoft\Internet Explorer\Styles "User Stylesheet" = %WinDir%\hh.htt
The following registry-keys are altered to point to http://aifind.info/
HKCU\Software\Microsoft\Internet Explorer "SearchURL"
HKCU\Software\Microsoft\Internet Explorer\Main "Search Bar"
HKCU\Software\Microsoft\Internet Explorer\Main "Search Page"
HKCU\Software\Microsoft\Internet Explorer\Main "Start Page"

The hosts-file, %SysDir%\drivers\etc\hosts, is overwritten to contain the following hosts:
127.0.0.1 localhost
205.177.124.66 auto.search.msn.com
This trojan adds adult-oriented links to the Favorites-folder.

Trojan.Win32.Startpage.AX

Computer Associates May 2004

trojan.win32.startpage.ax.exe

Troj_Startpage.B

Trend Micro okt 19, 2004

C:\Documents and Settings\All Users\StartMenu\

Programs\Startup\WinLogon.exe

Hijacks IE’s startpage and points it to http://allneedsearch.com/
Hijacks IE’s Search-functions and points them to http://allneedsearch.com/spm.htm

Modifies registry-entries:

HKCU\Software\Microsoft\Internet Explorer\Main Start Page= "http://allneedsearch.com/"
HKCU\Software\Microsoft\Internet Explorer\Main Search Page= "http://allneedsearch.com/"
HKCU\Software\Microsoft\Internet Explorer\SearchUrl @= "http://allneedsearch.com/"
HKCU\Software\Microsoft\Internet Explorer\Main Search Bar= "http://allneedsearch.com/spm.htm"
HKCU\Software\Microsoft\Internet Explorer\MainUse Search Asst= "no"
HKLM\SOFTWARE\Microsoft\Internet Explorer\Search SearchAssistant= "http://allneedsearch.com/spm.htm
Adds several adult-oriented links to the Favorites-folder.

Reg_Startpage.B (Reg_Startpage.A variant)

Trend Micro feb 26 2004

sys.reg

Uses the file sys.reg and URL http:/get-find.com/index.php for the hijack.

Adware.Startpage.B

Symantec sep 1 2004

%System%\internst32.exe

Adds a autostart-entry to the registry:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "ControlPanel"="%System%\internst32.exe internet.dll,LoadNetworkProfile"

Hijacks the Startpage of IE by modification of this registry-entry:

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main "Start Page"="http:/ /www.selfsearch.biz"

Trojan.Win32.Startpage.BE

Computer Associates May 2004

Win32.Startpage.AE, Win32/Startpage.21504!Trojan

776a6dbd854c9200f16a9005278e156c.exe

Trojan.Win32.Startpage.BF

Computer Associates dec 2003

csrss.exe

Trojan.Win32.Startpage.BG

Computer Associates Mar 2004

Trj/Bookmark.B, Win32.Startpage.AG, Win32/StartPage.AG!Trojan

trojan.win32.startpage.bg.dll

Trojan.Win32.Startpage.BH

VirusList Nov 16 2004

StartPage-AI.gen, Trojan.StartPage, Trojan.Bizten.19968, Trojan:Win32/StartPage.BH, TROJ_STARTPAGE.A, Win32:Trojan-gen, Startpage.DE , Trojan.StartPage.BH, Win32/StartPage.BH

Hijacks the homepage and search-functions of IE, and points them to http://teen-biz.com/, by modification of these registry-keys:

HKCU\Software\Microsoft\Internet Explorer\Main\Start Page]

HKCU\Software\Microsoft\Internet Explorer\Main\Use Search Asst]

HKCU\Software\Microsoft\Internet Explorer\Main\Search Page]

HKCU\Software\Microsoft\Internet Explorer\Main\Search Bar]

HKCU\Software\Microsoft\Internet Explorer\SearchURL]

HKCU\Software\Microsoft\Internet Explorer\SearchURL\provide]

HKLM\SOFTWARE\Microsoft\Internet Explorer\Search\SearchAssistant]

Adds the following links to the Favourites-folder:

Quality Galleries 50 000 freepics and movie.url  WOW VIDEOS AND PICS  -- REALLY HARDCORE VIDEOS.url  Series Hardcore Pic Sets and Movies.url  Elite Teen Sites - Adult portal The Best TEEN SITES.url  Elite Mature Sites - Adult portal The Best Mature Sites.url  FULL COLLECTION DIRTY PORNO.url  Young Teen Fucking Great Lo Archives.url

Opens the page http://toteen.com/cgi-bin/tds/in.cgi?outgo  every 1,5 hour

Trojan.Win32.Startpage.BJ

Computer Associates Mar 2004

trojan.win32.startpage.bj.exe

Troj_Startpage.BL

Sophos 22 jun 2004

Trojan.Win32.StartPage.gj, StartPage-DG, TROJ_STARTPAGE.T

C:\Windows\System32\OLEHELP.EXE

Adds the autostart-entry

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\olehelp = C:\Windows\System32\OLEHELP.EXE
Modifies the following register-entries, to hijack I.E.’s search-functions as followes:
HKCU\Software\Microsoft\Internet Explorer\Main\Search Bar = http://find4u.net/index.htm
HKCU\Software\Microsoft\Internet Explorer\Main\Search Page = http://find4u.net/index.htm
HKCU\Software\Microsoft\Internet Explorer\Main\Start Page = http://find4u.net/index.htm
HKCU\Software\Microsoft\Internet Explorer\SearchUrl\"" = http://find4u.net/index.htmprovider = gogl
HKLM\SOFTWARE\Microsoft\Internet Explorer\Search\SearchAssistant = http://find4u.net/index.htm
Adds extra links to the Windows Favorites-folder.

Trojan.Win32.Startpage.BM

Computer Associates May 2004

Trj/StartPage.GJ

trojan.win32.startpage.bm.exe

Trojan.Win32.Startpage.BS

Computer Associates May, 2004

Troj_Startpage.C

Trend Micro jan 21 2003

Trojan.Win32.StartPage.d, Trojan:Win32/StartPage.C, Troj/StartPageD

WINWEB.INI

Drops the file WINWEB.INI on the computer and adds this autostart-entry

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunService B.B(oZc) = "malware path and file name"

Hijacks the home- and local-page of IE by modifying the registry-entries

HKCU\Software\Microsoft\Internet Explorer\Main Local Page = http://www.q***p.net/O9.htm

HKCU\Software\Microsoft\Internet Explorer\Main Start Page = http://www.q***p.net/O9.htm "

Reg_Startpage.C (Reg_Startpage.A-variant)

Trend Micro mrt 4 2004

Troj/WinREG

sys.reg

Changes the homepage of IE to http://getBLOCKEDind.com/index.php as homepage

Adware.Startpage.C

Symantec feb 15 2005

wertjojo.exe

Keygenerator.exe

Hijacks IE's homepage and points it to http:/ /www.wertjojo.de/wbb/wbboard/main.php, by modification of register-entry HKCU\SOFTWARE\Microsoft\Internet Explorer\Main Start Page
Makes een printscreen of the desktop and puts it, with a ad-window "visit www.wertjojo.de", upon the real desktop, by alteration of the register-entry HKCU\SOFTWARE\Microsoft\Internet Explorer\Main Window Title

Trojan.Win32.Startpage.CB

Computer Associates May, 2004

Trj/StartPage.AU, Win32/StartPage.cb!Trojan

82d32133964bbc152c6a4ad8a189a5fa.exe

Trojan.Win32.Startpage.CL

Computer Associates jan 2004

Trj/Bookmark.B, Win32.Startpage.BL, Win32/StartPage.BL.5120!Trojan

cpan.dll

Troj_Startpa.CY

Sophos may 14 2004

TROJ_STARTPAGE.V, StartPage-CY, Trojan.Win32.StartPage.go

%System%\ svcc.exe

Adds a autostart-entry

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ControlPanel=C:\WINDOWS System32\svcc.exe internat.dll,LoadKeyboardProfile

Hijacks the homepage of IE and points it to http://world-search.biz/

Trojan.Win32.Startpage.CZ

Computer Associates May 2004

trojan.win32.startpage.cz.exe

Troj_Startpage.D

Trend Micro 13 dec 2003

Adds the autostart-entry

HKCU\Software\Microsoft\Windows\CurrentVersion\Run AddClass=<malware name and location>

Hijacks I.E.’s startpage and search-functions by modification these registry-entries:

HKLM\Software\Microsoft\Internet Explorer\Main Search Bar=http://www.hand-book.com/search/

HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main Default_Search_URL http://www.hand-book.com/search/

HKLM\Software\Microsoft\Internet Explorer\Search SearchAssistant=http://www.hand-book.com/search/

HKLM\Software\Microsoft\Internet Explorer\Search CustomizeSearch=http://www.hand-book.com/search/

Alters the Default prefix http:// to http://ehttp.cc/?

Adds the item 66.118.163.109 auto.search.msn.com to the Windows Hosts-file (ONLY pre-XP )

Also adds links to the Favorites-folder in the folder %windows%(ONLY pre-XP )

Reg_Startpage.D (Reg_Startpage.A Variant)

Trend Micro feb 7 2005

REG.Startpage.BU, Reg/Seeker

Module to be used in other malware.

Hijacks the home-page and search-page and points them to http://%79%7A%71%76%71%67%.....%2E%63%63/%68%70%2E%70%68%7 as IE homepage.

Java_Startpage.D

Trend Micro okt 26 2003

Trojan.StartPage, Trojan.Java.StartPage.d

JavaClass-file. Hijacks IE's home- and start-page to URL http://www.searchv.com en ..../search.html.
Adds links to adult-sites to the favorites-folder.
Puts a shortcut sex.url (wich links to a adult-site) on the desktop.

Troj_Startpage.DA

Sophos 6 jul 2004

Trojan.Win32.StartPage.ck, StartPage-DA, TROJ_STARTPAGE.C

Adds the autostart-entry HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AddClass
Hijacks several functions of IE by modifying/adding the following registry-entries:
HKCU\SOFTWARE\Microsoft\Internet Explorer\Class Starts
HKCU\SOFTWARE\Microsoft\Internet Explorer\Styles\Use My Stylesheet = 1
HKCU\SOFTWARE\Microsoft\Internet Explorer\Styles\User Stylesheet
HKLM\SOFTWARE\Microsoft\Internet Explorer\Styles\Use My Stylesheet = 1
HKLM\SOFTWARE\Microsoft\Internet Explorer\Styles\User Stylesheet
HKCU\SOFTWARE\Microsoft\Internet Explorer\Search\SearchAssistant
HKCU\SOFTWARE\Microsoft\Internet Explorer\Search\CustomizeSearch
HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\SearchPage
HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Search_URL
HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\Search Bar
HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchUrl
HKLM\SOFTWARE\Microsoft\Internet Explorer\Search\SearchAssistant
HKLM\SOFTWARE\Microsoft\Internet Explorer\Search\CustomizeSearch
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\SearchPage
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Search_URL
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\Search Bar
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchUrl
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix\(Default)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes\www
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes\www.
Adds links to the favorites-folder.

Trojan.Win32.Startpage.DJ

Computer Associates May 2004

Trj/StartPage.BF, Win32.Startpage.CB, Win32/QHosts!Trojan

trojan.win32.startpage.dj.exe

Reg_Startpage.E (Reg_Startpage.A Variant)

Trend Micro nov 11 2003

c:\ie.reg

Component of Java_Startpage.E.
The registry-scriptfile c:\ie.reg modifies the registry, to hijack the IE Homepage and points it to http://www.hotsearchbox.com/ie/

Java_Startpage.E

Trend Micro nov 11 2003

JV/GoPlanet, Trojan.Java.StartPage.e

JavaApplet-file. Uses Reg_Startpage.E to hijack IE's home- and start-page to http://www.topsearcher.com/ie/.
Regularly tries to contact it's maker's website to check for updates.

Trojan.Startpage.E
Symantec jun 6 2004

Attempts to end the following processes:
MCUPDATE.EXE, CFIAUDIT.EXE, AVXQUAR.EXE, AUTOUPDATE.EXE, AUTOTRACE.EXE, AUTODOWN.EXE, AUPDATE.EXE, NUPGRADE.EXE, UPDATE.EXE, CSUPP95.EXE,
IICSSUPPNT.EXE, DRWEBUPW.EXE, LUALL.EXE, AVPUPD.EXE, AVWUPD32.EXE, ATUPDATER.EXE, ATUPDATER.EXE, serve.exe, loadclean.exe, loader.exe runddl.exe
Overwrites the Windows Host-file with serveral hundred lines that prevent you from opening certain Web pages.
Deletes the registry-keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "ControlPanel"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "Key2"

Trojan.Win32.Startpage.EV

Computer Associates jan2 2004

W32/Istbar.B@dl, Downloader-JV, Adware-RBlast.dldr, Win32/StartPage.couldnotfind.Downloader , Win32/StartPage.couldnotfind.Trojan , Win32.Startpage.EV!downloader, TrojanDownloader.Win32.IstBar.eh, TrojanDownloader.Win32.Small.gl

Dropped by the downloader-trojan Win32.Startpage.EV!downloader.

Hijacks the home- and search-page of IE by adding/modifying the following registry-entries:

HKCU\Software\Microsoft\Internet Explorer\Main BandRest

HKCU\Software\Microsoft\Internet Explorer\Main Search Page

HKCU\Software\Microsoft\Internet Explorer\Main Search Page_bak

HKCU\Software\Microsoft\Internet Explorer\Main Search Bar

HKCU\Software\Microsoft\Internet Explorer\Main Use Search Assistant

HKCU\Software\Microsoft\Internet Explorer\Main Start Page

HKCU\Software\Microsoft\Internet Explorer\Main Start Page_bak

Search Page_bak and Start Page_bak contain the original values for Search Page and Search Bar

Troj_Startpage.F (Troj_StartPage. AX??)

Trend Micro jan 8 2004

.StartPage.F, TrojanDropper:Win32/Small.MV, Win32.Startpage.KU, Win32/Startpage.KU!Trojan

%system%\ctrlpan.dll

%Windows%\HH.HTT

A dropper-trojan drops the file ctrlpan.dll in the %system%-folder and executes it’s own API-function to add the following registry-entry, wich allow ctrlpan.dll to run upon execution of an application:

On Win NT-based systems

HKLM\Software\Microsoft\Windows NT\Current Version\Windows AppInit_DLLs = “ctrlpan.dll”

On Win 95. 98 and ME systems

HKLM\Software\Microsoft\Windows\CurrentVersion\Run Control = “rundll32.exe %System%\ctrlpan.dll,Restore ControlPanel”

** On Windows 95, 98 and ME systems, an error message may be displayed. However, the malware still executes successfully.**

HH.HTT is dropped in the %Windows%-folder. This file is used to reset the User Stylesheet of IE by modifying these registry-entries:

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Styles Use My Stylesheet = dword:00000001

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Styles User Stylesheet = %Windows%\hh.htt

Hijacks the homepage and some Search-functions and points them to http://afind.info/

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main Start Page

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main Search Page

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main Search Bar

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer SearchURL

Adds a infection-marker to the registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\eplorer Control = &ltrandom dword value>

On Win ME systems, the entry [rename] NUL=%systemdir%\ctrlpan.dll is added to the file %Windows%\WININIT.INI

The line 205.177.124.66 auto.search.msn.com is added to the Hosts-file.

Adds the following links to the favorites-folder:

!!! Exclusive Youngest Porn !!! 80 old daddies brutally fucking their daughters CENSORED YOUNGEST PORN Fresh XXX pics & movie Fucking Young Virginz !!! Innocent Girls Brutally Fucked Little Bitches Getting Fucked Virgin Girls in Action XXy.o. girls getting brutally fucked by huge dick Young masha sucking huge dick until her lips teared open Youngest Girls Only Youngest Hardcore Action

Trojan.Win32.Startpage.F

Computer Associates Mar 2004

trojan.win32.startpage.f.exe

Java_Startpage.F

Trend Micro nov 11 2003

JV/GoPlanet, Trojan.Java.StartPage.e

IE.REG

R.REG

JavaApplet-file. Attempts to contact the site http://66.79.166.153/se/done.php (currently offline)to download 2 files.
IE.REG,wich contains the registry-entries to hijack IE-search-functions, wich (after applying) point to http://www.hotsearchbox.com/ie/
R.REG contains the register-entry to automaticly run the Hijack-scriptfile:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SystemSearch = REGEDIT.EXE -S c:\\ie.reg

Trojan.Win32.Startpage.FG

VirusList Mar 03 2005

Troj_Startpage.FG, StartPage-DX, Trojan.StartPage, Trojan.StartPage.278, TROJ_STARTPAG.S, TR/Dldr.Favadd, Win32:Trojan-gen, Startpage.9.BV, Trojan.StartPage.FG, Trojan.Startpage-135, Trj/StartPage.gen

%windows%\crcspider.ico

%favorites%\cracks (folder)

Hijacks the homepage of IE and points it to http://crackspider.net/ie/first.php

A file crcspider.ico is created in the %windir%-folder.

Creates/modifies the following registry-entries:

[HKCU\Software\Microsoft\Internet Explorer\Main] "Search Bar" = http://crackspider.net/ie/sbar.php

[HKCU\Software\Microsoft\Internet Explorer\Search] "SearchAssistant" = http://crackspider.net/ie/assist.php

[HKCU\Software\Microsoft\Internet Explorer\Extensions\(10954C80-4F0F-11d3-B17C-00C0DFE39736)] "ButtonText" = "Search cracks at CrackSpider.NET"

[HKCU\Software\Microsoft\Internet Explorer\Extensions\(10954C80-4F0F-11d3-B17C-00C0DFE39736)] "ClSid" =

(1FBA04EE-3024-11d2-8F1F-0000F87ABD16)

[HKCU\Software\Microsoft\Internet Explorer\Extensions\(10954C80-4F0F-11d3-B17C-00C0DFE39736)] "Default Visible" = "Yes"

[HKCU\Software\Microsoft\Internet Explorer\Extensions\(10954C80-4F0F-11d3-B17C-00C0DFE39736)] "Exec" = http://crackspider.net/ie/btn.php

[HKCU\Software\Microsoft\Internet Explorer\Extensions\(10954C80-4F0F-11d3-B17C-00C0DFE39736)] "HotIcon" = "%windows%\crcspider.ico"

[HKCU\Software\Microsoft\Internet Explorer\Extensions\(10954C80-4F0F-11d3-B17C-00C0DFE39736)] "Icon" = "%windows%\crcspider.ico"

[HKCU\Software\Microsoft\Internet Explorer\Extensions\(10954C80-4F0F-11d3-B17C-00C0DFE39736)] "MenuStatusBar" = "Search cracks at CrackSpider.NET"

[HKCU\Software\Microsoft\Internet Explorer\Extensions\(10954C80-4F0F-11d3-B17C-00C0DFE39736)] "MenuText" = "Search cracks at CrackSpider.NET"

Creates a new folder cracks in the Favourites-folder, with the following shortcuts:

! CrackSpider.NET - Cracks search engine.url  !! TheBUGS.ws - Security Related Portal.url  !!! CrackPortal.com - Cracks, serial numbers.....url  anyCracks.com - Keygens, patches, crackz....url  Astalavista - Cracks search engine.url  CrackSpider.DE - Cracks search engine.url  CrackSpider.US - Cracks search engine.url  CrackWay - Since 2001 cracks  rhive.url  iCracks.net - Keygens, patches, crackz....url  KeyGen.US - Keygens, patches, crackz....url  mscrack.com - Cracks, serial numbers.....url

Adds the following domains to the Hosts-file to redirect them to Url 213.239.0.226

andr.net  astalavista.box.sk  crackspider.com  crackz.ws  www.andr.net  www.crackz.ws  www.crackspider.com

Adds its own icon to the IE toolbar. This icon acts as a link to http://crackspider.net/ie/btn

Trojan.Win32.Startpage.FZ

Computer Associates Aug 03 2004

StartPage-, Win32.Startpage.FZ!generic, Win32/StartPage.IX, Trojan.Win32.StartPage.ix

%system%\<random>.dll

%temp%\sp.html

%temp%\se.dll

dropped as a randomly named DLL-file in the %system%-folder by Win32.DlMersting is and then executed.

A copy of a custum-made searchpage sp.html may be dropped in the %temp%-folder.

It installs itsef as an BHO with random CLSID and filename by adding these registry-entries:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{<random clsid>}
HKCR\CLSID\{<the random clsid, used in the hklm-entry>}\InProcServer32\(Default)="%System%\<random>.dll"

HKCR\CLSID\{<the random clsid, used in the hklm-entry>}\InProcServer32\ThreadingModel=Apartment

It also installs itself as a permanent pluggable MIME filter, to make it possible to show a (by the trojan-writer choosen) webpage, instead of a About:Blank-page, by modification of these registry-entries:

HKCR\PROTOCOLS\Filter\text/html\CLSID={C4B51C1A-A650-4D29-BCF8-5F860AE42DFD}
HKCR\PROTOCOLS\Filter\text/plain\CLSID={C4B51C1A-A650-4D29-BCF8-5F860AE42DFD}

Hijacks homepage and search-functions by modification of these registry-entries (depending on the minor variants of the trojan):

HKCU\Software\Microsoft\Internet Explorer\Main\HOMEOldSP="about:blank"

HKCU\Software\Microsoft\Internet Explorer\Main\Start Page="about:blank"

HKCU\Software\Microsoft\Internet Explorer\Main\Use Custom Search URL=1

HKCU\Software\Microsoft\Internet Explorer\Main\Use Search Asst="no"

HKLM\Software\Microsoft\Internet Explorer\Main\Start Page="about:blank"

HKLM\Software\Microsoft\Internet Explorer\Main\Use Custom Search URL=1

HKLM\Software\Microsoft\Internet Explorer\Main\Use Search Asst="no"

Variation 1:

HKCU\Software\Microsoft\Internet Explorer\Main\Search Bar=file://%Temp%\sp.html

HKCU\Software\Microsoft\Internet Explorer\Main\Search Page=file://%Temp%\sp.html

HKCU\Software\Microsoft\Internet Explorer\Search\SearchAssistant=file://%Temp%\sp.html

HKLM\Software\Microsoft\Internet Explorer\Main\Search Bar=file://%Temp%\sp.html

HKLM\Software\Microsoft\Internet Explorer\Main\Search Page=file://%Temp%\sp.html

HKLM\Software\Microsoft\Internet Explorer\Search\SearchAssistant=file://%Temp%\sp.html

Variation 2:

HKCU\Software\Microsoft\Internet Explorer\Main\Search Bar="res res://C:\WINDOWS\System32\<random>.dll/sp.html "

HKCU\Software\Microsoft\Internet Explorer\Main\Search Page=" res://C:\WINDOWS\ System32\<random>.dll/sp.html "

HKCU\SOFTWARE\Microsoft\Internet Explorer\Search\SearchAssistant="res://C:\WINDOWS\System32\<random>.dll/sp.html "

HKLM\Software\Microsoft\Internet Explorer\Main\Search Bar=" res://C:\WINDOWS\System32\<random>.dll/sp.html "

HKLM\Software\Microsoft\Internet Explorer\Main\Search Page=" res://C:\WINDOWS\System32\<random>.dll/sp.html"

HKLM\SOFTWARE\Microsoft\Internet Explorer\Search\SearchAssistant=" res://C:\WINDOWS\System32\<random>.dll/sp.html "

Variation 3 may modify this registry-entry to to display SP.html in the searchbar of IE.

HKCU\software\microsoft\Internet Explorer\Main\Search Bar = res://%Temp%\se.dll/sp.html

In this case, the file se.dll is dropped in the %temp%-folder (also see Win32.Startpage.NS)

Depending on the variant, may try to patch the API-call InternetConnectA, in the file wininet.dll, to redirect this API to code within it’s own DLL.

Searches for domains in the Hosts-file and disables them by commenting them out: windows-data.info ak47.be channels.at refer.cn look-up.tv count.cc searchx.cc google.com yahoo.com msn.com netscape.com ieautosearch (other domains can be searched for, aswell)

The read-only attribute of the Hosts-file is also set.

Reg_Startpage.G (Reg_Startpage.A Variant)

Trend Micro sep 16 2004

Trojan.WinREG.StartPage, Reg/Seeker

Portal.Reg

Component of Troj_Startpage.AK.

Uses the registry-scriptfile Portal.Reg to change several IE-registry-entries
Hijacks the homepage and replace it with url http://portal.soul-gate.net/

Troj_Startpage.G

SecureMost mar 2004

Trojan.Bookmarker.C?), CWS.Smartfinder, CWS.notepad32

%SystemRoot%\system32\NOTEPAD.EXE

Drops the file Notepad32.exe in %SystemRoot%\system32

Modifies the following register-entry to run the trojan, if a textfile is being opened: HKLM\SOFTWARE\Classes\txtfile\shell\open\command = %SystemRoot%\system32\NOTEPAD.EXE %1
Drops the trojans TROJ_GOWEH.A and/or TROJ_GOWEH.B, wich are IE-Hijacking trojans.

Troj_Startpage.H

Trend Micro 7 jun 2004

Trojan.Win32.StartPage.ho, Trojan.Win32.StartPage.h, Trojan.Win32.StartPage.hh, Trojan:Win32/StartPage.H, Trojan:Win32/StartPage.HH

DLL-component without autostart-capabilities.

To start this trojan, this entry is added to the registry
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ShellServiceObjectDelayLoadSystem = <CLSID of the DLL malware>
Hijacks the startpage and search-functions of IE and points them to http://jksearch.biz/redir.php, by modification of these rgister-entries:
HKLM\Software\Microsoft\Internet Explorer\Main Local Page = "http://jksearch.biz/redir.php"
HKLM\Software\Microsoft\Internet Explorer\Main Start Page = "http://jksearch.biz/redir.php"
HKLM\Software\Microsoft\Internet Explorer\Main Default_ Page_URL = "http://jksearch.biz/redir.php"
HKCU\Software\Microsoft\Internet Explorer\Main Local Page = "http://jksearch.biz/redir.php"
HKCU \Software\Microsoft\Internet Explorer\Main Start Page = "http://jksearch.biz/redir.php"
HKCU \Software\Microsoft\Internet Explorer\Main Default_ Page_URL = "http://jksearch.biz/redir.php"
It also delete the following registry-entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run ControlPanel
HKLM\Software\Microsoft\Windows\CurrentVersion\Run Key2
HKCU\Software\Microsoft\Windows\CurrentVersion\Run ControlPanel
HKCU\Software\Microsoft\Windows\CurrentVersion\Run Key2
It ends the following processes:

MCUPDATE.EXE CFIAUDIT.EXE AVXQUAR.EXE AUTOUPDATE.EXE AUTOTRACE.EXE AUTODOWN.EXE AUPDATE.EXE NUPGRADE.EXE UPDATE.EXE ICSUPP95.EXE ICSSUPPNT.EXE DRWEBUPW.EXE LUALL.EXE AVPUPD.EXE AVWUPD32.EXE ATUPDATER.EXE serve.exe loadclean.exe loader.exe runddl.exe

Adds several websites to the Windows Hosts-file, to make them unreachable

Troj_Startpage.I

Trend Micro dec 23 2003

StartPage-AI, Trojan.Win32.StartPage.az

Hijacks the homepage and search-functions of IE and points them to http://start-search.com/ by modification of these registry-entries:

HKCU\Software\Microsoft\Internet Explorer\Main Use Search Asst = "no"

HKCU\Software\Microsoft\Internet Explorer\Main Search Bar = http://start-search.com/sp.html

HKCU\Software\Microsoft\Internet Explorer\SearchUrl Default = "http://start-search.com/"

HKCU\Software\Microsoft\Internet Explorer\Main Start Page = http://start-search.com/

HKCU\Software\Microsoft\Internet Explorer\Main Search Page = "http://start-search.com/"

HKLM\Software\Microsoft\Internet Explorer\Search SearchAssistant = "http://start-search.com/sp.html"

Adds these url-shortcuts to the favorites-folder:

FREEDAILYUPDATEDHARDCOREGALLERIES.url URL=http://www.terra.es/personal7/BLOCKEDteen/

FREEDAILYUPDATEDTEENGALLERIES.url URL=http://www.terra.es/personal7/penibig

~Fully categories porn database. Enjoy!.url URL=http://www.mixedporno.com

199 PHOTOS YOUNG GIRLS.url URL=http://eliteteensites.com

Coolest megaporn archive !!! FREE !!!.url URL=http://start-search.com

Troj_Startpage.K

Trend Micro may 22, 2003

Is dropped and executed when it’s dropper-trojan JS_STARTPAGE.DRP is opened.

modifies the Internet Explorer home page to WWW.91LUB.RU

See Troj_Startpage.W

Troj_Startpage.M

Trend Micro 23 dec 2003

Trojan:Win32/StartPage.Y, Trojan.Win32.StartPage.y, Trojan.StartPage.57344, Trj/StartPage.G, TR/KillReg.StartP.Y, Trojan.Win32.StartPage.25088

%Windows%\hh.htt

%Windows%\Web\tips.ini

Hijacks IE startpage and search-functions and points them to http://in.we<BLOCKED>unter.cc/---/?bzbjr

Modifies the following registry entries to maintain the hijack:

HKCU\Software\Microsoft\Internet Explorer SearchURL = http://%69%6e%2e.....%63%63/%2d%2d/?%62%7a%62%6a%72"

HKCU\Software\Microsoft\Internet Explorer\Main Start Page = "http://66.250.130.200/main/hp.php" "http://%69%6e%2e..... /?%62%7a%62%6a%72 about:blank"

HKCU\Software\Microsoft\Internet Explorer\Main Search Page = "http://%69%6e%2e..... %2d/?%62%7a%62%6a%72"

HKCU\Software\Microsoft\Internet Explorer\Main Search Bar = "http://%69%6e%2e.....% 2d%2d/?%62%7a%62%6a%72"

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main Default_Search_URL "http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch" "http://%69%6e%2e%77%65%62%63%6f%75%6e% 74%65%72%2e%63%63/%2d%2d/?%62%7a%62%6a%72"

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main Search Page = "http://%69%6e%2e..... %2d/?%62%7a%62%6a%72"

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main Start Page = "http://%69%6e%2e.....?%62%7a%62%6a%72 about:blank"

HKLM\SOFTWARE\Microsoft\Internet Explorer\Search SearchAssistant= http://%69%6e%2e.....%2d/?%62%7a%62%6a%72

HKLM\SOFTWARE\Microsoft\Internet Explorer\Search CustomizeSearch = "http://%69%6e%2e.....%62%7a%62%6a%72"

Troj_Startpage.NS

Computer Associates mar 08 2005

Troj/Ablank-F, StartPage-DU.dll, Trojan.Win32.StartPage.uz

Is dropped onto the computer by Win32.Startpage.FZ as a DLL-file and displays popups periodically to redirect users to a specific site.

The following auto-start entry is added: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\sp = rundll32 <path>,DllInstall

It prevents execution of multiple instances of itself by creating a mutex, called SP.

Creates these registry-entries:

HKCU\Software\Microsoft\Windows\shell\MRU = <random value>

HKCU\Software\Microsoft\Windows\shell\MRUData = <random data>

Reg_Startpage.R (Reg_Startpage.A Variant)

Trend Micro mrt 4 2004

sys.reg

Often distributed as part of a malware-package.
Uses the file sys.reg to hijack home- and search-page, wich are modified to http://pc<blocked>rh.t.muxa.cc/h.php?aid=33

Troj_Startpage.O

Trend Micro april 3 2004

Win32.Trojan.StartPage.au

Hijacks the startpage of IE and points it to http://a<BLOCKED>find.info/ by midification of the registry-entry

HKCU\Software\Microsoft\Internet Explorer\Main Start Page = “http://a***find.info/”

Adds these adult-oriented shortcuts to the favorites-folder:

!!! Exclusiv***oungest Porn !!!.url 80 old daddies brutally ***cking their daughters.url 80 Yong gi***movies.url 90 Schoolgi*** movies.url CENSORED YOUNG***T PORN.url Fresh XXX pic*** movie.url Fucking Young ***ginz !!!.url Innocent Girl***rutally Fucked.url Little Bitches Getting ***cked.url Virgin Girli***n Action.url XX y.o. girls getting brutally ***cked by huge dick.url oung Masha s***ing huge dick until her lips teared open.url Youngest Girl***nly.url Youngest Har***re Action.url

Troj_Startpage.Q

Trend Micro jul 22 2003

%Windows%\DEFAULT.CSS

%Windows%\%WebDir%\OSLOGO.BMP

Hijacks the home- and search-page of IE and points it to either http://www.coolwww.search.com/p/c/x1.cgi/?100 or http://out.true-counter.com/b/?101

Drops 2 files %Windows%\DEFAULT.CSS and %Windows%\Web Directory\OSLOGO.BMP, wich setup a new CSS

Adds these registry-entries to make the new stylesheet default for IE:

HKCU\Software\Microsoft\Internet Explorer\Styles User Stylesheet = "C:\WINDOWS\default.css"

HKLM\Software\Microsoft\Internet Explorer\Styles User Stylesheet = "C:\WINDOWS\default.css"

HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Styles User Stylesheet "C:\WINDOWS\default.css"

Modifies the following registry-entries:

HKCU\Software\Microsoft\Internet Explorer Search = <url>

HKCU\Software\Microsoft\Internet Explorer SearchURL = <url>

HKCU\Software\Microsoft\Internet Explorer\Search SearchAssistant = <url>

HKCU\Software\Microsoft\Internet Explorer\Search CustomizeSearch = <url>

HKCU\Software\Microsoft\Internet Explorer\Main Default_Search_URL = <url>

HKCU\Software\Microsoft\Internet Explorer\Main Search Bar = <url>

HKCU\Software\Microsoft\Internet Explorer\Main HOMEOldSP = <url>

HKCU\Software\Microsoft\Internet Explorer\Main Default_Page_URL = <url>

HKLM\Software\Microsoft\Internet Explorer Search = <url>

HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\coolwwwsearch.com (Default) = ""

HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\coolwwwsearch.com * = dword:00000002

HKU\.DEFAULT\Software\Microsoft\Internet Explorer Search = <url>

HKU\.DEFAULT\Software\Microsoft\Internet Explorer SearchURL = <url>

HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Search SearchAssistant = <url>

HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Search CustomizeSearch = <url>

HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main Default_Search_URL = <url>

HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main Search bar = <url>

HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main HOMEOldSP = <url>

HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main Default_Page_URL = <url>

HKCU\Software\Microsoft\Internet Explorer\Main Start Page = <url>

HKCU\Software\Microsoft\Internet Explorer\Main Search Page= <url>

HKLM\Software\Microsoft\Internet Explorer\Main Default_Search_URL = <url>

HKLM\Software\Microsoft\Internet Explorer\Main Search Page = <url>

HKLM\Software\Microsoft\Internet Explorer\Search SearchAssistant = <url>

HKLM\Software\Microsoft\Internet Explorer\Search CustomizeSearch = <url>

HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main Start Page = <url>

HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main Search Page = <url>

<url> can be either http://www.coolwww.search.com/p/c/x1.cgi/?100 or http://out.true-counter.com/b/?101

Trojan.Win32.Startpage.SP

Viruslist.com dec 23 2003

TR/StartPage.sp, Startpage.15.BH, Trojan.Startpage-198

Part of AdWare.ToolBar.Perez,

Troj_Startpage.T

Trend Micro april 4 2004

%system%\ olehelp.exe

Adds athe following autostart-entry to the registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run Olehelp = "C:\Windows\System32\olehelp.exe"

Hijacks the homepage and search-functions of IE to point to http://find4u.net/index.htm, by modification of those registry-entries:

HKCU\Software\Microsoft\Internet Explorer\Main Start Page = http://find4u.net/index.htm

HKCU\Software\Microsoft\Internet Explorer\Main Search Page s= http://find4u.net/index.htm

HKLM\SOFTWARE\Microsoft\Internet Explorer\Search SearchAssistant = http://find4u.net/sp.htm

HKCU\Software\Microsoft\Internet Explorer\Main Search Bar = "http://find4u.net/sp.htm"

HKCU\Software\Microsoft\Internet Explorer\SearchUrl @ = http://find4u.net/index.htm

Adds several URL files, which are all related to adult sites, in the Favorites folder.

Troj_Startpage.U

Trend Micro oct 11 2003

Hijacks the home- and search-page of IE by modifying these registry-entries:

HKCU\Software\Microsoft\Internet Explorer\Search Search Page="http://www.searchv.com/1/search.html"

HKCU\Software\Microsoft\Internet Explorer\Main Start Page="http://www.searchv.com/1/"

Adds these adult-oriented shortcuts to the favorites-folder:

eXtreme Sex pictures and movies.url Only Sex and nothing else.url Free Porn Links Seven Days a week.url Clean daily free porn links.url Yellow porn pages.url Best porn pictures and movies daily.url Operation Sex - Elite porn galleries.url Links\Search with pleasure.url

Trojan.Win32.Startpage.U

Computer Associates Aug 2005

No relevant information, at this time

Troj_Startpage.W

Trend Micro nov 11 2003

Trojan.StartPage, StartPage-W, W32/Cardown.A, Trojan.StartPage.57344, TR/StartPage.Y, Startpage.B, Trojan.Win32.StartPage.57344

%Windows%\DEFAULT.CSS

%Windows%\%WebDir%\win.def

Hijacks the homepage of IE to point to http://globe-finder.cc and the search-functions of IE to http://lucysearch.net/ydtfs/left.html

Drops 2 files %Windows%\DEFAULT.CSS and %Windows%\Web Directory\win.def, wich setup a new CSS

Adds these registry-entries to make the new stylesheet default for IE:

HKCU\Software\Microsoft\Internet Explorer\Styles User Stylesheet = "C:\WINDOWS\win.def"

HKLM\Software\Microsoft\Internet Explorer\Styles User Stylesheet = "C:\WINDOWS\win.def"