Find a Partner
This window is encrypted for your security.
Need help? Ask the community or hire an expert.
Go to Avira Answers
In the wild:
• Symantec: W32.Licum
• Mcafee: W32/Gael.worm.a
• Kaspersky: Virus.Win32.Tenga.a
• TrendMicro: PE_TENGA.A-O
• Sophos: W32/Tenga-A
• VirusBuster: virus Win32.Tenga.A
• Bitdefender: Win32.Gael.3666
Platform / OS:
• Windows XP
• Downloads a malicious file
• Makes use of software vulnerability
W32/Stanit is a windows file infector that searches the computer for PE executable files. The search routine scans the hard drive recursively for .exe files. It appends its code at the end of the infected files, modifying the entry point in the file header in order to execute itself.
In order to prevent multiple infections of the same file, an infection marker is added to the modified files: the 50th byte in each infected file is modified to value 56 - ascii value "V".
It tries to download a file:
– The location is the following:
Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too.
It tries to execute the following file:
The file contains malicious code.
It makes use of the following Exploit:
(Buffer Overrun in RPC Interface)
IP address generation:
It creates random IP addresses and tries to establish a connection with them.
It creates the following Mutex:
Description inserted by Sergiu Oprea on Monday, August 28, 2006
Description updated by Sergiu Oprea on Friday, September 8, 2006