Selected viruses, spyware, and other threats: sorted alphabetically
Win32/Stator.62464 is a worm spreading as a file in an attachment of electronic mail messages. It is written in Delphi and compressed by ASPack. Its length is 62464 bytes. The worm works in the environment of operating systems Windows 9x/ME/NT/2000/XP, and has the ability of sending some data related to the computer configuration.
Note: In following text a symbolic inscription %windir% is used instead of the name of directory in which Windows operating system is installed. Of course, this may differ from installation to installation.
The worm arrives as the photo1.jpg.pif file in an attachment of e-mail. After the file is run the worm activates. It replaces the extension of files notepad.exe, control.exe, mplayer.exe and winhlp32.exe located in the directory %windir% with .vxd. Then it creates its copies in this directory replacing the renamed files.
It creates its copy in the directory %windir%/System under the name loadpe.com. The worm assures the activation of its copy after the next system restart creating an item @ in the key HKEY_LOCAL_MACHINESoftwareCLASSESexefileshellopencommand. It sets the item value to c:windowssystemloadpe.com "%1" %*". Sometimes the worm creates also file %windir%/System/scanregw.exe. It assures its activation creating an item ScanRegistry in the key HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices. It sets the item value to c:\windows\system\scanregw.exe.
Win32/Stator.62464 creates in the directory C:windowstemp file photo1.jpg. The file contains following picture:
Displaying this picture the worm masks its actual activity. The worm sends its copies via post server smtp.mail.ru. While the worm is active there is no possibility of running program regedit.exe enabling the system registry handling.
© 1992-2004 ESET s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.