[email protected]

Aliases: I-Worm.Stator.a, W32/[email protected], Win32.HLLW.Plict, W32/Stator-A, Win32/[email protected],
Variants: WORM_STATOR.A, Worm/Stator, W32/Stator.A, Win32:Stator, I-Worm/Stator.A,

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Fast
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Hard
Platform: W32
Discovered: 20 Apr 2001
Damage: Low

Characteristics: The [email protected] application is classified as mass mailing worm software. It renames particular Windows programs so they have a .vxd file extension, and it utilizes the original file names for copies of the worm.

More details about [email protected]

The [email protected] worm is a mass-mailing worm software program. It changes the names of particular Windows software’s so that they have an extension of “.vxd”, and it then utilizes the filenames for duplicates of the worm itself. The [email protected] worm is a program of “Borland Delphi” packed making use of the ASPack. Upon execution it changes the names “Notepad.exe -> Notepad.vxd”, “Control.exe -> Control.vxd”, “Mplayer.exe -> Mplayer.vxd”, and “Winhlp32.exe -> Winhlp32.vxd” files. After changing the names of these files, the worm may then make duplicates w/ the following names like “Notepad.exe”, “Control.exe”, “Mplayer.exe”, “Winhlp32.exe”, and “Ifnhlp.sys” in the folder of Windows.

The [email protected] makes duplicates of itself in the folder of “WindowsSystem” as “Loadpe.com” and “Scanregw.exe”. The worm may also change the name of other W32 programs to have “.vxd” file extension and make duplicates of itself making use of the host filenames. Probably, it attempts to put this step to W32 programs that are loaded at start up from the Registry or Startup folder. The worm adds the value “ScanRegistry” to the registry key. These points of the “WindowsSystemScanregw.exe” file are created of worm. The worm adds the value “PLC_Region” to the registry key. This value has a numeric value.