Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically



Win32/Stator.62464 is a worm spreading as an email file attachment.  It is written in Delphi and compressed by ASPack.  Its file-size is 62464 bytes.  The worm works in the environment of the operating systems Windows 9x/ME/NT/2000/XP, and has the ability of sending data related to the computer configuration.

Note: In following text a symbolic variable %windir% is used instead of the name of directory in which the Windows operating system is installed. The Windows directory may differ from installation to installation.

The worm arrives as an email file attachment with the file-name photo1.jpg.pif .  When the file is run the worm activates.  It replaces the extension of files notepad.exe, control.exe, mplayer.exe and winhlp32.exe located in the directory %windir% with the extension .vxd.  Then it creates its copies in this directory replacing the renamed files.

It creates its copy in the directory %windir%/System using the file-name  The worm ensures the activation of its copy after the next system restart by creating the item @ in the key HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command.  It sets the item's  value to c:\windows\system\ \"%1\" %*".  Sometimes the worm also creates the file %windir%/System/scanregw.exe.  It assures its activation by creating the item ScanRegistry in the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices.  It sets the item's value to c:\\windows\\system\\scanregw.exe.

Win32/Stator.62464 creates the file photo1.jpg in the directory C:\windows\temp . The file contains the following picture:

Displaying this picture the worm masks its actual activity.  The worm sends its copies via the smtp server  While the worm is active there is no possibility of running the program regedit.exe (regedit is used to edit the system registry).

© 1992-2004 Eset s.r.o. All rights reserved. No part of this encyclopedia may be reproduced, transmitted or used in any other way in any other form or by any means without prior permission from Eset.