Virus

W32/Stator.A@mm

Analysis

  • Virus is ASPack compressed with a size of 62,464 bytes
  • When virus is executed, it writes the following files and copies itself as existing files; renaming original files of the same name to VXD extensions -

    C:\WINDOWS\TEMP\PHOTO1.JPG - 27Kb - cropped picture of young female posing with franchise icon Ronald McDonald

    C:\WINDOWS\MPLAYER.VXD - original EXE renamed
    C:\WINDOWS\MPLAYER.EXE - virus
    C:\WINDOWS\WINHLP32.VXD - original EXE renamed
    C:\WINDOWS\WINHLP32.EXE - virus
    C:\WINDOWS\NOTEPAD.VXD - original EXE renamed
    C:\WINDOWS\NOTEPAD.EXE - virus
    C:\WINDOWS\CONTROL.VXD - original EXE renamed
    C:\WINDOWS\CONTROL.EXE - virus
    C:\WINDOWS\SCANREGW.VXD - original EXE renamed
    C:\WINDOWS\SCANREGW.EXE - virus
    C:\WINDOWS\SYSTEM\SCANREGW.EXE - virus
    C:\WINDOWS\SYSTEM\LOADPE.COM - virus

  • Virus modifies the registry to run itself at Windows startup -

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\RunServices\
    ScanRegistry=c:\windows\system\scanregw.exe

  • Virus modifies the registry to run itself when any executable EXE file is run -

    HKEY_CLASSES_ROOT\exefile\shell\open\command\
    @ = "c:\windows\system\loadpe.com" "undefined1" undefined*

    * Original value here was
    @ = "undefined1" undefined*

  • Virus acts as a companion virus, copying existing EXE files as VXD files, then copying itself as the original file name and also assuming the icon of the original application

  • When LOADPE.COM executes, it writes three files to the local machine -

    C:\WINDOWS\SYSTEM\NDXAPI.OCX - contains string "PLICT01"
    C:\WINDOWS\SYSTEM\ODXAPI.OCX - contains string "PLICT01"
    C:\WINDOWS\IFNHLP.SYS - copy of virus

  • Every time a new executable is run, it is infected by the companion method of copying the original file as a .VXD and copying the virus as the original .EXE file name.

  • Virus attempts to hi-jack an email client named "The Bat!" and also use "smtp.mail.ru" as an SMTP server in order to distribute itself in emails as the file "Photo1.jpg.pif"

  • Virus attempts to capture credentials such as cached network passwords, CuteFTP info, Netscape and "TheBat!" email configurations, and store them in a file in order to send these to the virus author

  • Virus contains these strings in its code -

    undefinedADD_STAT stat.pgp
    Stat-generator v1.3