Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:W32/Stanit
Date discovered:14/07/2005
Type:File infector
In the wild:No
Reported Infections:Low
Distribution Potential:Medium
Damage Potential:Medium
Static file:No
File size:3.666 Bytes
VDF version:6.31.00.202

 General Aliases:
   •  Symantec: W32.Licum
   •  Mcafee: W32/Gael.worm.a
   •  Kaspersky: Virus.Win32.Tenga.a
   •  TrendMicro: PE_TENGA.A-O
   •  Sophos: W32/Tenga-A
   •  VirusBuster: virus Win32.Tenga.A
   •  Bitdefender: Win32.Gael.3666


Platform / OS:
   • Windows XP


Side effects:
   • Downloads a malicious file
   • Makes use of software vulnerability




   W32/Stanit is a windows file infector that searches the computer for PE executable files. The search routine scans the hard drive recursively for .exe files. It appends its code at the end of the infected files, modifying the entry point in the file header in order to execute itself.
   
   In order to prevent multiple infections of the same file, an infection marker is added to the modified files: the 50th byte in each infected file is modified to value 56 - ascii value "V".

 Files It tries to download a file:

– The location is the following:
   • http://utenti.lycos.it/vx9/**********
Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too.



It tries to execute the following file:

– Filename:
   • dl.exe
The file contains malicious code.

 Network Infection Exploit:
It makes use of the following Exploit:
– MS03-026 (Buffer Overrun in RPC Interface)


IP address generation:
It creates random IP addresses and tries to establish a connection with them.

 Backdoor Contact server:
The following:
   • http://**********.users.freebsd.at:80


 Miscellaneous Mutex:
It creates the following Mutex:
   • gaelicum

Description inserted by Sergiu Oprea on Monday, August 28, 2006
Description updated by Sergiu Oprea on Friday, September 8, 2006

Back . . . .