W32/Stando-B is a worm for the Windows platform.
W32/Stando-B spreads to other network computers.
W32/Stando-B includes functionality to access the internet and communicate with a remote server via HTTP.
W32/Stando-B is a worm for the Windows platform.
W32/Stando-B spreads to other network computers.
W32/Stando-B includes functionality to access the internet and communicate with a remote server via HTTP.
When first run W32/Stando-B copies itself to
<Temp>\suchost.exe
<Temp>\mgrShell.exe
and creates the file <System>\activeds.exe.
The file activeds.exe is detected as Troj/Bckdr-QIA.
Registry entries are set as follows to run the worm copy on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
scApp
<Root>\DOCUME~1\REPCLI~1\LOCALS~1\Temp\suchost.exe
W32/Stando-B copies itself to the root folder of available disk drives with the filename sys.exe and creates the hidden file autorun.inf containing the following text:
[autorun]
open=sys.exe
W32/Stando-B may attempt to write to the end of files with a DOC extension, and may modify files in the root drive or internet cache folder called ~Thumbs.db or in the internet cache folder called ~RSW114.tmp.
W32/Stando-B may set the following registry entry to allow Autoplay on removable, fixed, CD-ROM and RAM drives:
HKCU\Software\Microsoft\CurrentVersion\Policies\Explorer
NoDriveTypeAutoRun
91
W32/Stando-B may set the following registry entries to prevent hidden files from being shown, including files related to itself:
HKCU\Software\Microsoft\CurrentVersion\Explorer\Advanced
SuperHidden
1
HKCU\Software\Microsoft\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0