Trojan.Win32.StartPage.dz

Once launched, the Trojan will:

1. modify the following system registry key values: [HKCU\Software\Microsoft\Internet Explorer\Main] "Start Page" = "http://my-searcher.com/index.htm" [HKCU\Software\Microsoft\Internet Explorer\Main] "Use Search Asst" = "no" [HKCU\Software\Microsoft\Internet Explorer\Main] "Search Page" = "http://my-searcher.com/index.htm" [HKCU\Software\Microsoft\Internet Explorer\Main] "Search Bar" = "http://my-searcher.com/sp.htm" [HKCU\Software\Microsoft\Internet Explorer\SearchURL] "Default" = "http://my-searcher.com/index.htm" [HKCU\Software\Microsoft\Internet Explorer\SearchURL] "provider" = "gog1" [HKLM\Software\Microsoft\Internet Explorer\Search] "SearchAssistant" = "http://my-searcher.com/sp.htm"

   These changes modify the configuration of Internet Explorer.

2. create the following registry key: [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] "olehelp" = "%System%\olehelp.exe"

   This will cause "%System%\olehelp.exe" to be launched each time the system is started, assuming that such a file is present on the victim machine

3. create the following shortcuts in the current user's Favorites folder: %USERPROFILE%\Favorites\FREE HIDDEN CAMS WORLD %USERPROFILE%\Favorites\FREE SPY CAM %USERPROFILE%\Favorites\FREE WEB CAMS CHATS %USERPROFILE%\Favorites\GET THIS 4 FREE

   These shortcuts lead to the following addresses:

   http://free.hcworld.com/*****searcher.com http://free-spy-cam.net/*****searcher.com http://web-cams-chat.com/*****searcher.com http://getthis4free*****.com/
4. create the following files: c:\link.exe

   The Trojan then ceases running.

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

1. Use Task Manager to terminate the Trojan process.
2. Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
3. Revert the following system registry key values: [HKCU\Software\Microsoft\Internet Explorer\Main] "Start Page" [HKCU\Software\Microsoft\Internet Explorer\Main] "Use Search Asst" [HKCU\Software\Microsoft\Internet Explorer\Main] "Search Page" [HKCU\Software\Microsoft\Internet Explorer\Main] "Search Bar" [HKCU\Software\Microsoft\Internet Explorer\SearchURL] "Default" [HKCU\Software\Microsoft\Internet Explorer\SearchURL] "provider" [HKLM\Software\Microsoft\Internet Explorer\Search] "SearchAssistant"
4. Delete the following registry key: [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] "olehelp" = "%System%\olehelp.exe"
5. Delete all shortcuts created by the Trojan: %USERPROFILE%\Favorites\FREE HIDDEN CAMS WORLD %USERPROFILE%\Favorites\FREE SPY CAM %USERPROFILE%\Favorites\FREE WEB CAMS CHATS %USERPROFILE%\Favorites\GET THIS 4 FREE
6. Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).

This Trojan has a malicious payload. It is a Windows PE EXE file. It is 11776 bytes in size. It is packed using UPX. The unpacked file is approximately 22KB in size. It is written in Delphi.