stator worm c

hi guys great forum ,my pc is infected with stator worm c  is there software to clean this worm or do I have to delete the files. thanks alex

 

alex123 - Hi, and welcome to the forum! Glad you like it!

I looked through the defs for both The Cleaner and Tauscan, but I didn't see stator worm c  (listed as such, anyway)  in either.

You're not mentioning what AV program you use - whichever one it is, have you updated your defs and engine and run a full or in-depth scan? Won't it delete or clean it? Stator's been around for awhile.

You can always run an online scan and see if one of those can do something with it.

Info ( Read all three tabs ) : http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=WORM_STATOR.C  HTH Pete

*That link won't work right - leave out the space in the link and it should.

 

Never mind, here:

WORM_STATOR.C


Risk rating:




Virus type:

Worm

Destructive:

No


Aliases:
STATOR, STATOR.C

Description:
This is a packed, non-destructive, mass - mailing worm that uses its own SMTP engine to propagate copies of itself via email. It only infects systems with "The Bat" email client installed.

It also steals Cached passwords and Dial-up information from the infected system.

This worm may be considered a companion virus because it saves itself as a standard Windows application.

Solution:

Boot your system with a clean bootup disk.
At the command prompt, type the following to go to Windows
System directory:
CD Windows\System
Type this to delete SCANREGW.EXE:
del SCANREGW.EXE
Type this to delete LOADPE.COM:
del LOADPE.COM
Type this tho delete IFNHLP.SYS:
del IFNHLP.SYS
Reboot your system to Windows.
Click Start>Find>Files or Folders, type REGEDIT.EXE on the Named text box.
When the REGEDIT.EXE is found, rename it as REGEDIT.COM.
Note: This is just temporary. You should rename it back as REGEDIT.EXE after the cleanup.
Click Start>Run, type Regedit then hit the Enter key.
In the left panel, double click the following:
HKEY_CLASSES_ROOT>exefile>shell>open
>command
In the right panel, look for this registry entry:
@ = “%System%\loadpe.com “%1”%*”
Replace the default in the above registry value, “%System%\loadpe.com “%1”%*” with this registry value:
“%1”%*
In the left panel, double click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows
>CurrentVersion>RunServices
In the right panel, look for this registry value and delete it:
ScanRegistry = “%System%\scanregw.exe”
Close the Registry.
Delete the following files:
MPLAYER.EXE
WINHLP.EXE
NOTEPAD.EXE
CONTROL.EXE
SCANREGW.EXE
Look for and rename these files:
MPLAYER.VXD
WINHLP.VXD = MPLAYER.EXE
NOTEPAD.VXD = NOTEPAD.EXE
CONTROL.VXD = CONTROL.EXE
SCANREGW.VXD = SCANREGW.EXE
Scan your system with Trend Micro antivirus and delete all files detected as WORM_STATOR.C. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other email users may use HouseCall, Trend Micro's free online virus scanner.

WORM_STATOR.C
(see also: description and solution)

In the wild:
No
Discovered:
Jan. 22, 2002
Detection available:
Jan. 22, 2002
Detected by pattern file #:
206
(still using 900-series pattern files?)
Detected by scan engine #:
5.200

Language:
English
Platform:
Windows
Encrypted:
No
Size of virus:
62,464 Bytes

Details:
Upon execution, this worm creates several copies of itself as SCANREGW.EXE, LOADPE.COM, IFNHLP.SYS in the Windows system directory.

It then modified the following registry entries to allow automatic execution of the worm upon system boot-up as well as upon execution of any EXE files.

HKEY_CLASSES_ROOT\exefile\shell\open\
command@ = “%System%\loadpe.com “%1”%*”

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\RunServices
ScanRegistry = “%System%\scanregw.exe”

File Infection:
This worm renames the following files:

MPLAYER.EXE as MPLAYER.VXD
WINHLP.EXE as WINHLP.VXD
NOTEPAD.EXE as NOTEPAD.VXD
CONTROL.EXE as CONTROL..VXD
SCANREGW.EXE as SCANREGW.VXD

It then creates copies of itself in the following filenames so that it appears as a normal file:

MPLAYER.EXE
WINHLP.EXE
NOTEPAD.EXE
CONTROL.EXE
SCANREGW.EXE

Propagation Via Email:
It attempts to connect to the predefined Internet mail server, SMTP.MAIL.RU, and then sends SMTP commands to create and send emails.

This worm only replicates on systems that have “The Bat!” email client installed. It sends an email to email addresses if finds in the folder where the “The Bat!” address book is located. To do this, it uses this registry entry:

HKEY_CURRENT_USER\Software\RIT\
The Bat!\Working Folder

The email it sends contains an attachment, PHOTO1.JPG.PIF.
Description created:
Jan. 22, 2002