Aliases: W32/Stemclover
Variants: W32/STEMCLOVER

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia
Removal: Easy
Platform: W32
Discovered: 09 Oct 2007
Damage: Low

Characteristics: The W32.Stemclover application can infect the systems of Windows and propagates through network drives and removable drives. This worm will reach its destination as a file that is dropped from the removable drive or shared folder or mapped drive.

More details about W32.Stemclover

The W32.Stemclover application allows a remote user to access an infected computer. The W32.Stemclover application is capable of spreading itself to other computers. This may be done when the affected computer is connected to other systems through a single network. The worm application listens for commands coming from the remote user through an open port. The remote user can send some commands, such as deleting of important files from the computer, uploading and downloading of programs and starting or participating on attacks to different servers. The worm program can also be transmitted through instant messenger applications and P2P (peer-to-peer) file sharing programs.

Once this worm was executed, it duplicates itself with various files. Then this worm makes the entries of the registry so that every time the Windows starts it will run. Also this worm creates registry entries in order to disable applications where some of these are security related. Then it adds some string to the Drive C Local Disk. On Windows Me, 98, and 95 the cause of this is an existence of and Indonesian message in command prompt window once you start your Windows. Then W32.stemclover searches shared folders and it duplicates itself using the same file name of the executable original file.