English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Trojan.VBS.StartPage.hw

Detected Sep 08 2011 13:33 GMT
Released Jun 25 2012 19:17 GMT
Published Sep 08 2011 13:33 GMT

Technical Details
Payload
Removal instructions

Technical Details

A trojan program that carries out destructive actions on the user's computer. It is a Visual Basic Script file. 803 bytes.


Payload

After launching, the trojan changes the value of the system registry key as follows:

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "www.5***iling.com"
"Search Page" = "www.5***ling.com"
"default_page_url" = "www.5***ling.com"

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"safe360" = "%ProgramFiles%\Common Files\sebsbvx\coiome.exe
This changes the default home page and search page on the Internet Explorer browser. It also automatically launches a file named "coiome.exe" every time the system is started up.


Removal instructions

If your computer has not been protected with anti-virus software and has been infected with malware, you will need to take the following actions to delete this:

  1. Delete the original trojan file (its location on the infected computer will depend on how the program got onto the computer).
  2. Restore the changed parameter values for the system registry key (how to work with the registry?):
    [HKCU\Software\Microsoft\Internet Explorer\Main]
    "Start Page"
    "Search Page"
    "default_page_url"
    
  3. Delete the system registry key:
    [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
    "safe360" = "%ProgramFiles%\Common Files\sebsbvx\coiome.exe
    
  4. Clear the Temporary Internet Files directory containing the infected files (How to delete infected files in the Temporary Internet Files folder?):
    %Temporary Internet Files%
  5. Run a full Kaspersky Antivirus scan with updated antivirus databases (download trial version).

md5: D7444767D527E6E97BD3EB85D60E800D
sha1: 3CB0844C24AB2CA5CD881F14DBC8F70002092941


Bookmark and Share
Share
Trojan

This type of behaviour covers malicious programs that delete, block, modify, or copy data, disrupt computer or network performance, but which cannot be classified under any of the behaviours identified above.

This classification also covers “multipurpose” Trojan programs, i.e. those that are capable of conducting several actions at once and which demonstrate several Trojan behaviours in a single program. This means they cannot be indisputably classified as having any single behaviour.


Other versions