[virusinfo] Troj/StartPa-AE

• From: "Mike" <mikebike@xxxxxxxxx>
• To: virusinfo@xxxxxxxxxxxxx
• Date: Thu, 13 May 2004 17:05:05 -0700

From; Sophos Alert System:

Name: Troj/StartPa-AE
Aliases: Trojan.WinREG.StartPage
Type: Trojan
Date: 13 May 2004

A virus identity (IDE) file which provides protection is
available now from the Sophos website, and will be incorporated
into the June 2004 (3.82) release of Sophos Anti-Virus.

Customers using Enterprise Manager, PureMessage and any of the
Sophos small business solutions will be automatically protected
at their next scheduled update.


At the time of writing, Sophos has received just one report of
this Trojan from the wild.


Note: The IDE issued for Troj/StartPa-AE at 15:54 GMT on 22
April also contained detection for Troj/Mixtar-B, Troj/Agent-E,
Troj/Ketch-B, Troj/StartPa-GH, Troj/DeathCo-B, W32/FlyVB-A,
Troj/Agent-L and Troj/IEStart-H. This IDE has now been updated
to enhance detection of Troj/Agent-L.



Information about Troj/StartPa-AE can be found at:
http://www.sophos.com/virusinfo/analyses/trojstartpaae.html
Description 
Troj/StartPa-AE changes browser settings for Microsoft Internet Explorer
each
time Windows is started. 
Troj/StartPa-AE is simply a text file (typically named sysdll.reg) which can
be used as an input to Regedit to set the following registry entries: 

HKCU\Software\Microsoft\Internet Explorer\Main\Start Page
HKCU\Software\Microsoft\Internet Explorer\Main\HOMEOldSP
HKCU\Software\Microsoft\Internet Explorer\Main\Search Bar
HKCU\Software\Microsoft\Internet Explorer\Main\Search Page
HKCU\Software\Microsoft\Internet Explorer\Search\SearchAssistant
HKLM\Software\Microsoft\Internet Explorer\Main\Start Page
HKLM\Software\Microsoft\Internet Explorer\Main\HOMEOldSP
HKLM\Software\Microsoft\Internet Explorer\Main\Search Bar
HKLM\Software\Microsoft\Internet Explorer\Main\Search Page
HKLM\Software\Microsoft\Internet Explorer\Search\SearchAssistant 

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
sys = "regedit -s sysdll.reg" 

The last of these registry entries causes the registry to be updated using
Troj/StartPa-AE each time Windows is started. 

Troj/StartPa-AE may be installed on the computer by Troj/AdClick-AE. 
 
 

This IDE file also includes detection for:

Troj/Mixtar-B
http://www.sophos.com/virusinfo/analyses/trojmixtarb.html
Troj/Agent-E
http://www.sophos.com/virusinfo/analyses/trojagente.html
Troj/Ketch-B
http://www.sophos.com/virusinfo/analyses/trojketchb.html
Troj/StartPa-GH
http://www.sophos.com/virusinfo/analyses/trojstartpagh.html
Troj/DeathCo-B
http://www.sophos.com/virusinfo/analyses/trojdeathcob.html
W32/FlyVB-A
http://www.sophos.com/virusinfo/analyses/w32flyvba.html
Troj/Agent-L
http://www.sophos.com/virusinfo/analyses/trojagentl.html
Troj/IEStart-H
http://www.sophos.com/virusinfo/analyses/trojiestarth.html

Download the IDE file from:
http://www.sophos.com/downloads/ide/startpae.ide

Download all the IDE files available for the current version of 
Sophos Anti-Virus in a single compressed file. The file is
available in two formats:

Zip file:
http://www.sophos.com/downloads/ide/ides.zip

Self-extracting file:
http://www.sophos.com/downloads/ide/ides.exe

Read about how to use IDE files at
http://www.sophos.com/downloads/ide/using.html

*********** MIKE"S REPLY SEPARATOR  ***********
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
http://www3.telus.net/mikebike/worm_removal.htm
See my Anti-Virus pages  http://virusinfo.hackfix.org/index
<virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe>
A Technical Support Alliance  and OWTA Charter Member 

Other related posts:

• » [virusinfo] Troj/StartPa-AE
• » [virusinfo] Troj/StartPa-AE
• » [virusinfo] Troj/StartPa-AE

1. Home
2. virusinfo
3. Archive
4. 05-2004

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---