W32.Stang


Aliases: W32/Generic.d, Win32.HLLW.Bropia, IM-Worm.Win32.Aimes.c, Worm/Aimes.C, W32/Gnildo.A,
Variants: I-Worm/VB.2.AQ, Win32.Worm.Aimes.C, W32/Stang.A.worm, Win32/Aimdes.D,

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Moderate
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 23 Feb 2005
Damage: Medium

Characteristics: The W32.Stang application is a worm that multiplies using Microsoft MSN Messenger and tries to end processes and change security settings. The worm disables the Registry Editor and Task Manager as well.

More details about W32.Stang

The W32.Stang program is a worm that multiplies through Microsoft MSN Messenger and tries to stop the processes and lower the security settings. The W32.Stang worm also disables the Registry Editor and Task Manager. When the W32.Stang is opened, it makes the “%Windir%WINDOWSBACKUP.EXE” and “%Windir%HEY LOOK AT MY MOMS DILDO!!.PIF” files. W32.Stang worm adds the value "WindowsBackup" = "%Windir%WINDOWSBACKUP.EXE" to the registry key, so that it opens each time Windows starts. It adds the values "FirewallDisableNotify" = "1", "UpdatesDisableNotify" = "1", and "AntiVirusDisableNotify" = "1" to the registry subkeys to disable different functions of security in Windows.

The W32.Stang worm changes the value "DisableTaskMgr" = "1" and "DisableRegistryTools" = "1 in the registry key to disable the Registry Editor and Task Manager. It erases the values "[Random value]" = "cfgpwnz.exe" and "[Random value]" = "actboost.exe" from the registry key to disable some other threats. It tries to end the processes of “SVCHOST.EXE” and “LSASS.EXE”. The W32.Stang spreads the “Message: Look At This Hot Naked Girl” and “Attachment: Hey look at my moms dildo!!.pif” to all MSN messenger contacts.