Aliases: Trojan.Win32.Bizten, Trojan.Win32.Bizten.Gen, Troj/Bizten-Gen
Variants: TROJ_BIZTEN.GEN, W32/Bizten.Gen, Bizten.Gen Trojan, Win32/StartPage.tenbiz!Trojan, Win32.Startpage.AQ

Classification: Malware
Category: Trojan Horse

Status: Inactive
Spreading: Moderate
Geographical info: N/A
Removal: Easy
Platform: W32
Discovered: 06 Jan 2004
Damage: Medium

Characteristics: The W32.Bizten program is a type of malware that belongs to a class of Trojan Horses known for their ability to hijack functionalities of the Internet Explorer browser. This threat may also include malicious websites into the Favorites menu of the Web browser.

More details about W32.Bizten

Initial activation of the W32.Bizten malware will create a copy of itself in the C:\ Documents and Settings\ All Users\ Start Menu\ Programs\ Startup directory folder location using the winlogon.exe filename. Presumably, this is done to allow the Trojan Horse to launch at every user logon instance. This leads to infection of the entire machine regardless of the number of accounts registered. A number of websites will be added to the Favorites Menu of the Internet Explorer browser. These websites normally reference adult oriented or pornographic contents. There is a possibility that the W32.Bizten malware may infect other Web browsers aside from the Internet Explorer Web browser.

Part of this Trojan Horse's payload delivery routine is to modify the contents of the Windows Registry associated with the Start Page, Search Page, or Search Bar of the Web browser. The values for these registry keys will be normally replaced by the W32.Bizten with www.find-itnow.com, www.find-itnow.com/pane_search.html, or teen-biz.com among others. These keys can be found under the main location of the Windows Registry. Other modifications done by this malware can be seen in the search categories of the Windows Registry. Restarting of the machine in Safe Mode is required to allow the deletion of its executable file. The Registry Editor tool must then be used to remove all Windows Registry key entries that are associated with the Trojan Horse.