|
|
I-Worm.Stato Viruses Information
| Name: |
I-Worm.Stato |
| Category: |
Viruses |
| Description:
|
Details
I-Worm.Stator
This is an Internet worm that spreads via infected e-mails. The worm is able to spread only from computers that have TheBat! e-mail client installed.
The worm obtains victims' e-mail addresses from TheBat! database. To send itself from an infected computer, the worm uses SMTP protocol and connects to the smtp.mail.ru e-mail server.
The message Subject and Body are in Russian, and the attached file is a Win32 EXE file (PE EXE file) with the "photo1.jpg.pif" name.
The translated text appears as follows:
Hello!
Your address was given to me by a common friend of ours (the first address that came to his mind)
I am a newcomer to the Internet and have just got this mailbox!
So that this is the very first time I am writing an e-mail!!!
He said that if I had any questions, I could ask youall
I am pretty cute and sociable.
(have a look at the photo)
I'm waiting for a reply from you!!!
Write me a bit about yourself and what you would like to know about me.
Good bye! Good bye!
:)))))))))
Sveta Kovaleva
The worm also installs itself to the system and infects a few files in the system, as well as sends passwords and other confidential information out of the computer.
To hide its activity, the worm displays a JPEG image of a girl.
Infecting the system
When the worm starts (being activated from an infected message), it installs itself to the system in several ways.
First, the worm infects five files in the Windows directory:
MPLAYER.EXE, WINHLP32.EXE, NOTEPAD.EXE, CONTROL.EXE, SCANREGW.EXE
The worm infects them in a {companion:Comp} way: the original files are renamed with a .VXD extension, and then the worm copies itself instead of the original file with an .EXE extension.
The worm then drops several of its copies - SCANREGW_EXE and LOADPE.COM - to the Windows system directory and IFNHLP.SYS to the Windows directory. The LOADPE.COM file is then registered in the auto-run Registry key:
HKCRexefileshellopencommand = LOADPE.COM
Later when any Win32 EXE file is started, this worm copy is activated, and infects an EXE file in the same companion manner.
The SCANREGW.EXE file (this worm's copy) in the Windows system directory is then registered in the auto-run Registry key:
HKLMSoftwareMicrosoftWindowsCurrentVersionRunServices
ScanRegistry = %SystemDir%scanregw.exe
Information that is sent out
The worm sends out the following data from an infected computer (to its "master"):
Remote access password and logins
Local network logins and passwords
BCSoft NetLaunch, PySoft AutoConnect and CureFtp information (if installed)
Netscape, TheBat! system parameters (if installed)
List of FAR ftp servers (if installed)
FIDO TMail passwords (if installed)
as well as system configuration and other information about the system
The message containing this information has the following fields:
From: Stat-generator v1.3 <%email_from%@mail.ru>
To: <%email_to%@pisem.net>
Subject: PLICT`01. Stat from %IP_address%
Attach: STAT.PGP
where:
%IP_address% is the IP address of an infected machine.
%email_from% is seven bytes long random string (for example, "syekqwc", "kryfmta", "nubipwd")
%email_to% is seven bytes of a specially generated address that depend on the month and day number (for example, "pwdkryf", "rzhpxfn"). So the e-mail address to where the information is sent depends on the month number and current day. |
Top Viruses Visited Pages:
Invader. - 239 visits
not-a-virus:RiskWare.Tool.RegPatch. - 73 visits
Worm.P2P.Harex. - 66 visits
not-a-virus:RemoteAdmin.Win32.RAdmin.2 - 60 visits
Small.58. - 56 visits
Coito.64 - 54 visits
I-Worm.Mapson. - 48 visits
Win32.Hidra - 43 visits
Win16.Klon.1177 - 42 visits
Marine.500 - 35 visits
Random Viruses Pages:
Macro.Word.Dus
Macro.Word97.Typ
LAVI.78
Jakarta.55
DST Famil
Accept.361
Troi.32
Win32.Apathy.537
Smut.93
Rubbit.73
|
|
