Aliases: I-Worm.Stator.a, W32/
[email protected], Win32.HLLW.Plict, W32/Stator-A, Win32/
[email protected],
Variants: WORM_STATOR.A, Worm/Stator, W32/Stator.A, Win32:Stator, I-Worm/Stator.A,
Classification: Malware
Category: Computer Worm
Status: Active & Spreading
Spreading: Fast
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Hard
Platform: W32
Discovered: 20 Apr 2001
Damage: Low
Characteristics: The
[email protected] application is classified as mass mailing worm software. It renames particular Windows programs so they have a .vxd file extension, and it utilizes the original file names for copies of the worm.
If you have Malware on your computer it will cause annoyances and will damage your system. You should either:
A. Manually remove the infected files from your computer, or
B. Automatically scan your system using trusted software
RECOMMENDED:
We recommend that you scan your system for malware. Our partner has a computer worm removal tool to automatically clean
[email protected] from your computer.
The
[email protected] worm is a mass-mailing worm software program. It changes the names of particular Windows software’s so that they have an extension of “.vxd”, and it then utilizes the filenames for duplicates of the worm itself. The
[email protected] worm is a program of “Borland Delphi” packed making use of the ASPack. Upon execution it changes the names “Notepad.exe -> Notepad.vxd”, “Control.exe -> Control.vxd”, “Mplayer.exe -> Mplayer.vxd”, and “Winhlp32.exe -> Winhlp32.vxd” files. After changing the names of these files, the worm may then make duplicates w/ the following names like “Notepad.exe”, “Control.exe”, “Mplayer.exe”, “Winhlp32.exe”, and “Ifnhlp.sys” in the folder of Windows.
The
[email protected] makes duplicates of itself in the folder of “WindowsSystem” as “Loadpe.com” and “Scanregw.exe”. The worm may also change the name of other W32 programs to have “.vxd” file extension and make duplicates of itself making use of the host filenames. Probably, it attempts to put this step to W32 programs that are loaded at start up from the Registry or Startup folder. The worm adds the value “ScanRegistry” to the registry key. These points of the “WindowsSystemScanregw.exe” file are created of worm. The worm adds the value “PLC_Region” to the registry key. This value has a numeric value.