Description
JS.CSSPopup is a Personal Cascading Style Sheet that attempts to launch a pornographic website in a new window that pops up outside the visible screen. It may use the filename my.css.
CSSPopup has been seen in the wild associated with variants of Win32.Startpage, a family of simple trojans that change the user's default Internet Explorer home or search page. For more information on this trojan, please visit the Win32.Startpage.C description, elsewhere in this encyclopedia.
In order to disable or change the cascading style sheet used by Internet Explorer:
- Select Tools | Internet Options | General
- Click the Accessibility button
- Uncheck the 'Format documents using my stylesheet' check box under 'User style sheet' and click 'Ok'.
or
If you use a personal cascading style sheet to display pages in Internet Explorer:
Use the Browse button to browse to the location of your stylesheet, and click 'Ok'.
Some recent variants of JS.CSSPopup are installed by a DLL, possibly called "ctrlpan.dll" or "MSCONFD.DLL". This DLL will be loaded through one of the following registry values:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Control = "rundll32.exe %System%\ctrlpan.dll,Restore ControlPanel"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs = "ctrlpan.dll"
The actual DLL file name may vary.
This trojan has been seen in the wild, used by businesses with unethical marketing practices in order to increase the flow of traffic to their web sites.
Note: Computer Associates has received reports of a new variant of trojan that drops JS.CSSPopup onto an affected machine. Our researchers are currently investigating this threat and will publish additional information as it comes to hand.
If you believe you are infected with this malware, and are having difficulties with reappearing instances of JS.CSSPopup, please submit a sample to virus@ca.com. For further information on how to submit virus samples, please visit: Submitting Virus Samples or Support.