high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Protection available since | 9 November 2005 21:41:56 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Stando-A is a worm for the Windows platform.
W32/Stando-A copies itself to the root folder of available disk drives with the filename sys.exe and creates the hidden file autorun.inf to run it.
W32/Stando-A is a worm for the Windows platform.
When first run W32/Stando-A copies itself to:
<System>\mgrShell.exe
<System>\scApp.exe
The following registry entry is created to run scApp.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
scApp
<System>\scApp.exe
W32/Stando-A copies itself to the root folder of available disk drives with the filename sys.exe and creates the hidden file autorun.inf containing the following text:
[autorun]
open=sys.exe
W32/Stando-A may attempt to write to the end of files with a DOC extension, and may modify files in the root drive or internet cache folder called ~Thumbs.db or in the internet cache folder called ~RSW114.tmp.
W32/Stando-A may set the following registry entry to allow Autoplay on removable, fixed, CD-ROM and RAM drives:
HKCU\Software\Microsoft\CurrentVersion\Policies\Explorer
NoDriveTypeAutoRun
91
W32/Stando-A may set the following registry entries to prevent hidden files from being shown, including files related to itself:
HKCU\Software\Microsoft\CurrentVersion\Explorer\Advanced
SuperHidden
1
HKCU\Software\Microsoft\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0
W32/Stando-A injects its code into explorer.exe and from there runs <System>\scApp.exe.
|
