Description
Win32.Startpage.C is a trojan that is used to change a user's default Internet Explorer homepage and/or default search page.
The trojan may modify the following registry entries in order to accomplish this task, by associating them with the URL that the trojan's writer wishes the user to visit (in this case, the URL is coolwwwsearch.com):
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Values:
Default_Page_URL
Default_Search_URL
HOMEOldSP
Search Bar
Search Page
Start Page
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search
Values:
CustomizeSearch
SearchAssistant
SearchURL
Startpage.C also modifies the Hosts file (on XP, 2000 and NT systems the hosts file is located at %System%\drivers\etc\hosts: on 9x systems the hosts file is located at %Windows%\hosts). This file contains the mappings of IP addresses to host names. Startpage.C remaps the MSN Search page to the IP address of the site mentioned above. Additionally, it creates the file Default.CSS in the %Windows% directory.
Note: '%System%' and '%Windows%' are variable locations. The trojan determines the location of the current Windows and System folders by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows\System; and for XP is C:\Windows\System32. The default installation location for the Windows directory for Windows 2000 and NT is C:\Winnt; for 95,98 and ME is C:\Windows; and for XP is C:\Windows.
Default.css is also detected as JS.CSSPopup.B. It is a Personal Cascading Style Sheet that can be set or removed in IE via Tools|Internet Options|General|Accessibility. This stylesheet attempts to launch a pornographic website in a new window that pops up outside the visible screen.
This trojan has been seen in the wild, used by businesses with unethical marketing practices in order to increase the flow of traffic to their web sites. Its "payload", of changing the user's startpage or search page is not destructive, but could certainly be classified as annoying.
Additional Instructions for Recovering from a Startpage Infection
Startpage changes a user's default Internet Explorer homepage and/or default search page by making changes to the registry. While CA Antivirus solutions will remove a Startpage infection, they will not restore a user's individual Internet Explorer settings to their pre-infection state (as Internet Explorer settings may vary from user to user).
In order to restore Internet Explorer's default settings for the Home and Search pages, please use the following procedure:
- Select Tools | Internet Options... from the Internet Explorer menu.
- Select the Programs tab.
- Click the Reset Web Settings... button. The Reset Web Settings dialog appears.
- Ensure that the Also reset my home page box is checked.
- Click Yes. This will reset Internet Explorer's default home page and search page.
- Click Ok.
Note: This will restore Internet Explorer's home page and search page to their default settings (for example www.msn.com). It may not restore settings to their pre-infection state. However, it will ensure that all registry entries modified by the trojan are redirected away from the site that the trojan's writer wished the user to visit.