Resolve is the name for a set of small, downloadable Sophos utilities designed to remove and undo the changes made by certain viruses, Trojans and worms. They terminate any virus processes and reset any registry keys that the virus changed.

Existing infections can be cleaned up quickly and easily, both on individual workstations and over networks with large numbers of computers.

Troj/StartPa-I attempts to modify several Microsoft Internet Explorer values.

Troj/StartPa-I drops a DLL component to the System folder as ctrlpan.dll (also detected as Troj/StartPa-I) and adds the following registry entry in order to run this component on system restart:

HKLMSoftwareMicrosoftWindows NTCurrentVersion

WindowsAppInit_DLLs = "ctrlpan.dll"

Troj/StartPa-I sets the following registry entries relating to Internet Explorer to

HKCUSoftwareMicrosoftInternet ExplorerSearchURL HKCUSoftwareMicrosoftInternet ExplorerMainSearch Page HKCUSoftwareMicrosoftInternet ExplorerMainStart Page HKCUSoftwareMicrosoftInternet ExplorerMainSearch Bar HKLMSoftwareMicrosoftInternet ExplorerSearch

Troj/StartPa-I creates or overwrites C:driversetchosts, which has the following entries: localhost

Troj/StartPa-I creates an HTML stylesheet in C:hh.htt and creates associated registry entries in

HKLMSoftwareMicrosoftInternet ExplorerStylesUser Stylesheet and

HKLMSoftwareMicrosoftInternet ExplorerStylesUse My Stylesheet.

The URL files will have links to porn-related websites.

Troj/Startpa-Z is a simple Trojan that makes changes to Internet Explorer settings via the registry.

Troj/Startpa-Z changes the default start page of Internet Explorer to the URL and will add a list of URLs containg adult content to the favourites folder. The Trojan will also change the following registry entries:

HKCUSoftwareMicrosoftInternet ExplorerStyles

Use My Stylesheet = 1

HKCUSoftwareMicrosoftInternet ExplorerStyles

User Stylesheet = hh.htt

HKLMSoftwareMicrosoftInternet ExplorerStyles

Use My Stylesheet = 1

HKLMSoftwareMicrosoftInternet ExplorerStyles

User Stylesheet = hh.htt

The stylesheet file hh.htt is detected by Sophos Anti-Virus as Troj/Startpa-BG.

Troj/Startpa can be removed from Windows computers automatically with the following Resolve tools:

STRTPGUI is a disinfector for standalone Windows computers. To use it you have to do the following:

■ Open file from your desktop after downloading it.

■ Click on the Start Scan Button.

■ Wait for the process to complete.

STRTPSFX.EXE is a self-extracting archive containing STRTPCLI, a Resolve command line disinfector for use by system administrators on Windows networks.


