How to delete Trojan.Bookmark - Removal instructions

Information from Panda Software

Common name: Bookmark.B

Technical name: Trj/Bookmark.B

Threat level: Low

Type: Trojan

Effects: It changes the home page of Internet Explorer, adds links to pornographic websites to the Favorites folder and redirects the default search page.

Affected platforms: Windows XP/2000/NT/ME/98/95

First appeared on: Dec. 29, 2003

Brief Description:

Bookmark.B is a Trojan that changes the home page of the browser Internet Explorer.

Bookmark.B deletes links in the Favorites folder, and adds links to pornographic websites. In addition, it overwrites the HOSTS file, in order to redirect the default search page to a specific IP address.

Bookmark.B does not spread automatically using its own means. It needs the attacking user's intervention in order to reach the affected computer. The means of transmission used include, among others, floppy disks, CD-ROMs, e-mail messages with attached files, Internet downloads, FTP, IRC channels, peer-to-peer (P2P) file sharing networks, etc.

Visible Symptoms:

Bookmark.B is easy to recognize, as it changes the home page of the browser Internet Explorer.

Effects:

Bookmark.B has the following effects:

  • It changes the home page of the browser Internet Explorer.
  • It redirects the default search page auto.search.msn.com to the IP address 205.177.124.66 by overwriting the HOSTS file.
  • It deletes the links in the Favorites folder.
  • It adds the following links to the Favorites folder:
    • !!! Exclusive Youngest Porn !!!.url
    • 80 old daddies brutally fucking their daughters.url
    • CENSORED YOUNGEST PORN.url
    • Fresh XXX pics & movie.url
    • Fucking Young Virginz !!!.url
    • Innocent Girls Brutally Fucked.url
    • Little Bitches Getting Fucked.url
    • Virgin Girls in Action.url
    • XX y.o. girls getting brutally fucked by huge dick.url
    • Young Masha sucking huge dick until her lips teared open.url
    • Youngest Girls Only.url
    • Youngest Hardcore Action.url

Infection strategy

Bookmark.B can copy itself with the file name CTRLPAN.DLL in directories that contain Internet temporary files.

Bookmark.B overwrites the HOSTS file, which is located in the subfolder /DRIVERS /ETC in the Windows system directory, with the following lines:

  • 127.0.0.1 localhost
  • 205.177.124.66 auto.search.msn.com

    By modifying this file, Bookmark.B redirects the default search page auto.search.msn.com to the IP address 205.177.124.66.

    Bookmark.B modifies the following entries in the Windows Registry:

    • HKEY_CURRENT_USER\ Software\ Microsoft\ Internet Explorer\ Main
      Start Page = http://webcoolsearch.com/
      By modifying this entry, Bookmark.B changes the home page of the browser Internet Explorer.
    • HKEY_CURRENT_USER\ Software\ Microsoft\ Internet Explorer\ Main
      Search Page = http://webcoolsearch.com/

Means of transmission:

Bookmark.B does not spread automatically using its own means. It needs the attacking user's intervention in order to reach the affected computer. The means of transmission used include, among others, floppy disks, CD-ROMs, e-mail messages with attached files, Internet downloads, FTP, IRC channels, peer-to-peer (P2P) file sharing networks, etc.

Further Details:

Bookmark.B is 5,120 bytes in size and it is compressed with UPX.

How to remove Bookmark.B?

Restore the original configuration of your computer by following the instructions below:

  • Close all the Internet Explorer windows.
  • End all the processes related to RUNDLL32.
  • Delete the file CTRLPAN.DLL, which is in the Windows system directory.
  • Delete the entry that Bookmark.B has created in the Windows Registry:

    HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
    Control = rundll32.exe %sysdir%\CTRLPAN.DLL,Restore ControlPanel
    where %sysdir% is the Windows system directory.

  • Restore the HOSTS file from the latest available backup copy.
  • Restart the computer.
  • In order to make sure that Bookmark.B is completely eliminated from your computer, carry out a full scan of your computer using an antivirus.

How can I protect my computer from Bookmark.B?

In order to keep your computer protected, bear the following tips in mind:

  • Install a good antivirus in your computer. Click here to get the Panda antivirus solution that best suits your needs.
  • Keep your antivirus updated. If automatic updates are available, configure your antivirus to use them.
  • Keep your permanent antivirus protection enabled at all times.