Content
StartPage-EU
- Type
- Trojan
- SubType
- -
- Discovery Date
- 08/20/2004
- Length
- Varies
- Minimum DAT
- 4388 (08/25/2004)
- Updated DAT
- 4388 (08/25/2004)
- Minimum Engine
- 5.1.00
- Description Added
- 08/20/2004
- Description Modified
- 01/11/2006 11:37 PM (PT)
Risk Assessment
- Corporate User
- Low-Profiled
- Home User
- Low-Profiled
Tab Navigation
Characteristics
-- Update August 20, 2004 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.computerworld.com/securitytopics/security/virus/story/0,10801,95387,00.html
This trojan modifies settings for Microsoft Internet Explorer. When run, the trojan makes the following registry changes:
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Customize Search" = http://targetsearch.info
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Default_Search_URL" = http://targetsearch.info
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Search Bar" = http://targetsearch.info
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Local Page" = http://targetsearch.info
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Search Page" = http://targetsearch.info
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Start Page" = http://targetsearch.info
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main "Default_Page_URL" = http://targetsearch.info
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main "Default_Search_URL" = http://targetsearch.info
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main "Local Page" = http://targetsearch.info
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main "Search Page" = http://targetsearch.info
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main "Start Page" = http://targetsearch.info
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search "CustomizeSearch" = http://targetsearch.info/left.php
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search "SearchAssistant" = http://targetsearch.info/left.php
Symptoms
Internet Explorer loading unexpected pages at startup and while searching.
Method of Infection
A hyperlink pointing to an infectious website was reportedly spammed to many users via AIM and ICQ on August 20, 2004. Following that link, landed unsuspecting users on a page containing encoded Exploit-ObjectData trojan code, which loaded another page containing the Exploit-MhtRedir trojan. The Exploit-MhtRedir trojan referenced a CHM file containing the Exploit-CodeBase trojan , which installed the StartPage-EU trojan on vulnerable systems.
Removal
All Users
:
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Variants
Variants
N/A
All Information
Overview -
This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.
Aliases
- Download.Ject2
Characteristics
Characteristics -
-- Update August 20, 2004 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.computerworld.com/securitytopics/security/virus/story/0,10801,95387,00.html
This trojan modifies settings for Microsoft Internet Explorer. When run, the trojan makes the following registry changes:
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Customize Search" = http://targetsearch.info
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Default_Search_URL" = http://targetsearch.info
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Search Bar" = http://targetsearch.info
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Local Page" = http://targetsearch.info
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Search Page" = http://targetsearch.info
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Start Page" = http://targetsearch.info
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main "Default_Page_URL" = http://targetsearch.info
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main "Default_Search_URL" = http://targetsearch.info
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main "Local Page" = http://targetsearch.info
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main "Search Page" = http://targetsearch.info
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main "Start Page" = http://targetsearch.info
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search "CustomizeSearch" = http://targetsearch.info/left.php
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search "SearchAssistant" = http://targetsearch.info/left.php
Symptoms
Symptoms -
Internet Explorer loading unexpected pages at startup and while searching.
Method of Infection
Method of Infection -
A hyperlink pointing to an infectious website was reportedly spammed to many users via AIM and ICQ on August 20, 2004. Following that link, landed unsuspecting users on a page containing encoded Exploit-ObjectData trojan code, which loaded another page containing the Exploit-MhtRedir trojan. The Exploit-MhtRedir trojan referenced a CHM file containing the Exploit-CodeBase trojan , which installed the StartPage-EU trojan on vulnerable systems.
Removal -
Removal -
All Users
:
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
