[INFO] AnalystName=Swarna Latha V.G. AnalystEMailID=swarnalatha.gopinathan@comodo.com Team=India Date=12-JAN-2010 Type=TrojWare Platform=Win32 SubType= Family=Pasta Variant=SB [OVERVIEW] TrojWare.Win32.Pasta is higher definition of TrojWare.Win32.StartPage and hence the family name is modified from STArtPAge to Pasta. It modifies the Default Startpage of the Internet Explorer browser to a Malware Website or any other unknown BHO site. Thus malware websites that are active can have payload to download some malware files without user knowledge or redirecting to another malware websites. [TECHNICAL_DESCRIPTION] Registry Keys Added: HKLM\SOFTWARE\Classes\CLSID\{7B434A2A-9E4C-48F2-8373-5801F316A4D5} HKLM\SOFTWARE\Classes\YodaoToolbar.StockBar\Clsid HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7B434A2A-9E4C-48F2-8373-5801F316A4D5} Registry Values Added: HKLM\SOFTWARE\Classes\CLSID\{7B434A2A-9E4C-48F2-8373-5801F316A4D5}\ProgID\: "YodaoToolbar.StockBar" HKLM\SOFTWARE\Classes\CLSID\{7B434A2A-9E4C-48F2-8373-5801F316A4D5}\InprocServer32\: "%Program Files%\Youdao\Toolbar\ydtbv2.23\YODAOT~1.DLL" HKLM\SOFTWARE\Classes\YodaoToolbar.StockBar\Clsid\: "{7B434A2A-9E4C-48F2-8373-5801F316A4D5}" Registry keys modified: HKCU\Software\Microsoft\Internet Explorer\Main\Start Page: "http://www.133.net" Files Added: %AppData%\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.url %DesktopDir%\Internet Explorer.url %Favorites%\精品网址导航.url %Start Menu%\启动 Internet Explorer 浏览器.url %Program Files%\Youdao\Toolbar\ydtbv2.23\YodaoToolbar.dll %WINDOWS%\ime\SPTIPIMERS.ini Modifies the Startpage of the Internet Explorer Browser. Also modifies the Quick Launch of Internet Explorer Browser in taskbar. A dll "YodaoToolbar.dll" is dropped which is Adware. The Dll could be seen registered from add-ons tab and it will be in enabled state. Open Internet Explorer goto tab Tools->Manage Add-Ons tab. [SYMPTOMS] The homepage of the Internet Explorer browser will be changed to "http://www.133.net" [DISINFECTION] Manual Removal Instructions: Delete the following Registry value. HKCU\Software\Microsoft\Internet Explorer\Main\Start Page: "http://www.133.net" Change the startpage goto control panel->internet options->general Tab->HomePage column. HomePage column="http://www.133.net" to blank homepage by clicking the use-blank tab. Disable the dll "YodaoToolbar.dll" open Internet Explorer goto tab Tools->Manage Add-Ons tab->disable. Delete the following files: %Program Files%\Youdao\Toolbar\ydtbv2.23\YodaoToolbar.dll %WINDOWS%\ime\SPTIPIMERS.ini Restart the System.