|
|
#2
February 17th, 2002, 10:26 AM
|
||||
|
||||
Re: stator worm c
alex123 - Hi, and welcome to the forum! Glad you like it!
I looked through the defs for both The Cleaner and Tauscan, but I didn't see stator worm c *(listed as such, anyway) *in either. You're not mentioning what AV program you use - whichever one it is, have you updated your defs and engine and run a full or in-depth scan? Won't it delete or clean it? Stator's been around for awhile. You can always run an online scan and see if one of those can do something with it. Info ( Read all three tabs ) : http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=WORM_STATOR.C *HTH Pete *That link won't work right - leave out the space in the link and it should.
__________________
"When fascism comes to America it will come wrapped in the flag and carrying a cross." Sinclair Lewis |
|
#3
February 17th, 2002, 10:33 AM
|
||||
|
||||
|
Re: stator worm c
Never mind, here:
WORM_STATOR.C Risk rating: Virus type: Worm Destructive: No Aliases: STATOR, STATOR.C Description: This is a packed, non-destructive, mass - mailing worm that uses its own SMTP engine to propagate copies of itself via email. It only infects systems with "The Bat" email client installed. It also steals Cached passwords and Dial-up information from the infected system. This worm may be considered a companion virus because it saves itself as a standard Windows application. Solution: Boot your system with a clean bootup disk. At the command prompt, type the following to go to Windows System directory: CD Windows\System Type this to delete SCANREGW.EXE: del SCANREGW.EXE Type this to delete LOADPE.COM: del LOADPE.COM Type this tho delete IFNHLP.SYS: del IFNHLP.SYS Reboot your system to Windows. Click Start>Find>Files or Folders, type REGEDIT.EXE on the Named text box. When the REGEDIT.EXE is found, rename it as REGEDIT.COM. Note: This is just temporary. You should rename it back as REGEDIT.EXE after the cleanup. Click Start>Run, type Regedit then hit the Enter key. In the left panel, double click the following: HKEY_CLASSES_ROOT>exefile>shell>open >command In the right panel, look for this registry entry: @ = “%System%\loadpe.com “%1”%*” Replace the default in the above registry value, “%System%\loadpe.com “%1”%*” with this registry value: “%1”%* In the left panel, double click the following: HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows >CurrentVersion>RunServices In the right panel, look for this registry value and delete it: ScanRegistry = “%System%\scanregw.exe” Close the Registry. Delete the following files: MPLAYER.EXE WINHLP.EXE NOTEPAD.EXE CONTROL.EXE SCANREGW.EXE Look for and rename these files: MPLAYER.VXD WINHLP.VXD = MPLAYER.EXE NOTEPAD.VXD = NOTEPAD.EXE CONTROL.VXD = CONTROL.EXE SCANREGW.VXD = SCANREGW.EXE Scan your system with Trend Micro antivirus and delete all files detected as WORM_STATOR.C. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other email users may use HouseCall, Trend Micro's free online virus scanner. WORM_STATOR.C (see also: description and solution) In the wild: No Discovered: Jan. 22, 2002 Detection available: Jan. 22, 2002 Detected by pattern file #: 206 (still using 900-series pattern files?) Detected by scan engine #: 5.200 Language: English Platform: Windows Encrypted: No Size of virus: 62,464 Bytes Details: Upon execution, this worm creates several copies of itself as SCANREGW.EXE, LOADPE.COM, IFNHLP.SYS in the Windows system directory. It then modified the following registry entries to allow automatic execution of the worm upon system boot-up as well as upon execution of any EXE files. HKEY_CLASSES_ROOT\exefile\shell\open\ command@ = “%System%\loadpe.com “%1”%*” HKEY_LOCAL_MACHINE\Software\Microsoft\ Windows\CurrentVersion\RunServices ScanRegistry = “%System%\scanregw.exe” File Infection: This worm renames the following files: MPLAYER.EXE as MPLAYER.VXD WINHLP.EXE as WINHLP.VXD NOTEPAD.EXE as NOTEPAD.VXD CONTROL.EXE as CONTROL..VXD SCANREGW.EXE as SCANREGW.VXD It then creates copies of itself in the following filenames so that it appears as a normal file: MPLAYER.EXE WINHLP.EXE NOTEPAD.EXE CONTROL.EXE SCANREGW.EXE Propagation Via Email: It attempts to connect to the predefined Internet mail server, SMTP.MAIL.RU, and then sends SMTP commands to create and send emails. This worm only replicates on systems that have “The Bat!” email client installed. It sends an email to email addresses if finds in the folder where the “The Bat!” address book is located. To do this, it uses this registry entry: HKEY_CURRENT_USER\Software\RIT\ The Bat!\Working Folder The email it sends contains an attachment, PHOTO1.JPG.PIF. Description created: Jan. 22, 2002
__________________
"When fascism comes to America it will come wrapped in the flag and carrying a cross." Sinclair Lewis |
| « Previous Thread | Next Thread » |
| Thread Tools | Search this Thread |
|
|
