TROJ_POPMON.A - Description and solution

TrendLabs Malware Blog

Glossary

TrendWatch

TrendLabs Twitter

TROJ_POPMON.A

Overview

Solution

Technical Details

Malware type: Trojan

Aliases: Trojan.Win32.StartPage.et (Kaspersky), Adware-PopMonster (McAfee), Trojan.Startpage (Symantec), TR/POPMON.A2 (Avira), Trojan:Win32/Startpage.ET (Microsoft)

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 95, 98, ME, NT, 2000, XP

Encrypted: No

Overall risk rating:

Reported infections:
Damage potential:		High
Distribution potential:		Low

Description:
This Trojan connects to the following link:

http://www.pop<BLOCKED>ster.com/control/src/applications.php

This Web site, in turn, redirects the user to the following link:

http://www.pop<BLOCKED>ster.com/control/src/Install043.exe

This malware drops the file MSRDK.XML in the Windows system folder and then executes the downloaded file, INSTALL043.EXE.

It then downloads malware files, detected as the following:

ADW_SCANPORTAL.A
ADW_RULEDOR.C - installs a Lycos Sidesearch in Internet Explorer (IE) without user consent

Lastly, it modifies the Windows registry so that it runs at every system startup.

It runs on Windows 95, 98, ME, NT, 2000 and XP.

For additional information about this threat, see:
Solution
Technical Details

Description created: Dec. 26, 2003 3:38:14 AM GMT -0800
Description updated: Dec. 26, 2003 4:06:18 AM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.