VirusW32/Stator.A@mm
Analysis
- Virus is ASPack compressed with a size of 62,464
bytes
- When virus is executed, it writes the following
files and copies itself as existing files; renaming
original files of the same name to VXD extensions
-
C:\WINDOWS\TEMP\PHOTO1.JPG - 27Kb - cropped picture of young female posing with franchise icon Ronald McDonald
C:\WINDOWS\MPLAYER.VXD - original EXE renamed
C:\WINDOWS\MPLAYER.EXE - virus
C:\WINDOWS\WINHLP32.VXD - original EXE renamed
C:\WINDOWS\WINHLP32.EXE - virus
C:\WINDOWS\NOTEPAD.VXD - original EXE renamed
C:\WINDOWS\NOTEPAD.EXE - virus
C:\WINDOWS\CONTROL.VXD - original EXE renamed
C:\WINDOWS\CONTROL.EXE - virus
C:\WINDOWS\SCANREGW.VXD - original EXE renamed
C:\WINDOWS\SCANREGW.EXE - virus
C:\WINDOWS\SYSTEM\SCANREGW.EXE - virus
C:\WINDOWS\SYSTEM\LOADPE.COM - virus -
Virus modifies the registry to run itself at Windows startup -
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\RunServices\
ScanRegistry=c:\windows\system\scanregw.exe -
Virus modifies the registry to run itself when any executable EXE file is run -
HKEY_CLASSES_ROOT\exefile\shell\open\command\
@ = "c:\windows\system\loadpe.com" "undefined1" undefined** Original value here was
@ = "undefined1" undefined* -
Virus acts as a companion virus, copying existing EXE files as VXD files, then copying itself as the original file name and also assuming the icon of the original application
- When LOADPE.COM executes, it writes three files
to the local machine -
C:\WINDOWS\SYSTEM\NDXAPI.OCX - contains string "PLICT01"
C:\WINDOWS\SYSTEM\ODXAPI.OCX - contains string "PLICT01"
C:\WINDOWS\IFNHLP.SYS - copy of virus -
Every time a new executable is run, it is infected by the companion method of copying the original file as a .VXD and copying the virus as the original .EXE file name.
-
Virus attempts to hi-jack an email client named "The Bat!" and also use "smtp.mail.ru" as an SMTP server in order to distribute itself in emails as the file "Photo1.jpg.pif"
-
Virus attempts to capture credentials such as cached network passwords, CuteFTP info, Netscape and "TheBat!" email configurations, and store them in a file in order to send these to the virus author
-
Virus contains these strings in its code -
undefinedADD_STAT stat.pgp
Stat-generator v1.3
Telemetry
Detection Availability
| FortiClient | |
|---|---|
| Extreme | |
| FortiMail | |
| Extreme | |
| FortiSandbox | |
| Extreme | |
| FortiWeb | |
| Extreme | |
| Web Application Firewall | |
| Extreme | |
| FortiIsolator | |
| Extreme | |
| FortiDeceptor | |
| Extreme | |
| FortiEDR |