stator worm c

Discussion in 'malware problems & news' started by alex123, Feb 17, 2002.

Thread Status:
Not open for further replies.
  1. alex123

    alex123 Registered Member

    Joined:
    Feb 17, 2002
    Posts:
    1
    hi guys great forum ,my pc is infected with stator worm c  is there software to clean this worm or do I have to delete the files. thanks alex
     
  2. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    alex123 - Hi, and welcome to the forum! Glad you like it!

    I looked through the defs for both The Cleaner and Tauscan, but I didn't see stator worm c  (listed as such, anyway)  in either.

    You're not mentioning what AV program you use - whichever one it is, have you updated your defs and engine and run a full or in-depth scan? Won't it delete or clean it? Stator's been around for awhile.

    You can always run an online scan and see if one of those can do something with it.

    Info ( Read all three tabs ) : http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=WORM_STATOR.C  HTH Pete

    *That link won't work right - leave out the space in the link and it should.
     
  3. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Never mind, here:

    WORM_STATOR.C


    Risk rating:




    Virus type:

    Worm

    Destructive:

    No


    Aliases:
    STATOR, STATOR.C

    Description:
    This is a packed, non-destructive, mass - mailing worm that uses its own SMTP engine to propagate copies of itself via email. It only infects systems with "The Bat" email client installed.

    It also steals Cached passwords and Dial-up information from the infected system.

    This worm may be considered a companion virus because it saves itself as a standard Windows application.

    Solution:

    Boot your system with a clean bootup disk.
    At the command prompt, type the following to go to Windows
    System directory:
    CD Windows\System
    Type this to delete SCANREGW.EXE:
    del SCANREGW.EXE
    Type this to delete LOADPE.COM:
    del LOADPE.COM
    Type this tho delete IFNHLP.SYS:
    del IFNHLP.SYS
    Reboot your system to Windows.
    Click Start>Find>Files or Folders, type REGEDIT.EXE on the Named text box.
    When the REGEDIT.EXE is found, rename it as REGEDIT.COM.
    Note: This is just temporary. You should rename it back as REGEDIT.EXE after the cleanup.
    Click Start>Run, type Regedit then hit the Enter key.
    In the left panel, double click the following:
    HKEY_CLASSES_ROOT>exefile>shell>open
    >command
    In the right panel, look for this registry entry:
    @ = “%System%\loadpe.com “%1”%*”
    Replace the default in the above registry value, “%System%\loadpe.com “%1”%*” with this registry value:
    “%1”%*
    In the left panel, double click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows
    >CurrentVersion>RunServices
    In the right panel, look for this registry value and delete it:
    ScanRegistry = “%System%\scanregw.exe”
    Close the Registry.
    Delete the following files:
    MPLAYER.EXE
    WINHLP.EXE
    NOTEPAD.EXE
    CONTROL.EXE
    SCANREGW.EXE
    Look for and rename these files:
    MPLAYER.VXD
    WINHLP.VXD = MPLAYER.EXE
    NOTEPAD.VXD = NOTEPAD.EXE
    CONTROL.VXD = CONTROL.EXE
    SCANREGW.VXD = SCANREGW.EXE
    Scan your system with Trend Micro antivirus and delete all files detected as WORM_STATOR.C. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other email users may use HouseCall, Trend Micro's free online virus scanner.

    WORM_STATOR.C
    (see also: description and solution)

    In the wild:
    No
    Discovered:
    Jan. 22, 2002
    Detection available:
    Jan. 22, 2002
    Detected by pattern file #:
    206
    (still using 900-series pattern files?)
    Detected by scan engine #:
    5.200

    Language:
    English
    Platform:
    Windows
    Encrypted:
    No
    Size of virus:
    62,464 Bytes

    Details:
    Upon execution, this worm creates several copies of itself as SCANREGW.EXE, LOADPE.COM, IFNHLP.SYS in the Windows system directory.

    It then modified the following registry entries to allow automatic execution of the worm upon system boot-up as well as upon execution of any EXE files.

    HKEY_CLASSES_ROOT\exefile\shell\open\
    command@ = “%System%\loadpe.com “%1”%*”

    HKEY_LOCAL_MACHINE\Software\Microsoft\
    Windows\CurrentVersion\RunServices
    ScanRegistry = “%System%\scanregw.exe”

    File Infection:
    This worm renames the following files:

    MPLAYER.EXE as MPLAYER.VXD
    WINHLP.EXE as WINHLP.VXD
    NOTEPAD.EXE as NOTEPAD.VXD
    CONTROL.EXE as CONTROL..VXD
    SCANREGW.EXE as SCANREGW.VXD

    It then creates copies of itself in the following filenames so that it appears as a normal file:

    MPLAYER.EXE
    WINHLP.EXE
    NOTEPAD.EXE
    CONTROL.EXE
    SCANREGW.EXE

    Propagation Via Email:
    It attempts to connect to the predefined Internet mail server, SMTP.MAIL.RU, and then sends SMTP commands to create and send emails.

    This worm only replicates on systems that have “The Bat!” email client installed. It sends an email to email addresses if finds in the folder where the “The Bat!” address book is located. To do this, it uses this registry entry:

    HKEY_CURRENT_USER\Software\RIT\
    The Bat!\Working Folder

    The email it sends contains an attachment, PHOTO1.JPG.PIF.
    Description created:
    Jan. 22, 2002
     
Loading...
Thread Status:
Not open for further replies.