Trojan.StartPage.I

Printer Friendly Page

Discovered: February 17, 2005
Updated: February 17, 2005 9:24:10 PM
Systems Affected: Windows

Trojan.StartPage.I is a Trojan horse program that attempts to change the Internet Explorer home page and related registry keys.

Discovered: February 17, 2005
Updated: February 17, 2005 9:24:10 PM
Systems Affected: Windows

Trojan.StartPage.I is a Trojan horse program that attempts to change the Internet Explorer home page and related registry keys.

When Trojan.StartPage.I is executed, it drops the following file:
%sysdir%\snim.dll

Next, it creates the following registry entry to ensure that the .dll runs as an executable service upon startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurretVersion\Run\"Systems Restart" = "Rundll32.exe snim.dll,DllRegisterServer"

It then creates the following registry entries as a Microsoft Internet Explorer browser hijacker which redirects the browser to various pages on Horseserver.net:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\"Systems Restart" = "Rundll32.exe snim.dll,DllRegisterServer"
HKEY_CLASSES_ROOT\"CLSID" = "{B72F75B8-93F3-429D-B13E-660B206D897A}"
HKEY_CLASSES_ROOT\Protocols\Filter\text/html\"CLSID" = "{B72F75B8-93F3-429D-B13E-660B206D897A}"
HKEY_CLASSES_ROOT\Protocols\Filter\text/plain\"CLSID" = "{B72F75B8-93F3-429D-B13E-660B206D897A}"
HKEY_LOCAL_MACHINE\Software\Classes\"CLSID" = "{B72F75B8-93F3-429D-B13E-660B206D897A}"
HKEY_LOCAL_MACHINE\Software\Classes\Protocols\Filter\text/html\"CLSID" = "{B72F75B8-93F3-429D-B13E-660B206D897A}"
HKEY_LOCAL_MACHINE\Software\Classes\Protocols\Filter\text/plain\"CLSID" = "{B72F75B8-93F3-429D-B13E-660B206D897A}"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\"Browser Helper Objects" = "{B72F75B8-93F3-429D-B13E-660B206D897A}"

The Trojan then creates the following uninstaller which does not work on all versions of Windows:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Best Search Engine!!!