Content

W32/Stayt.a

Type
Virus
SubType
Parasitic
Discovery Date
05/09/2008
Length
Varies
Minimum DAT
5293 (05/12/2008)
Updated DAT
5293 (05/12/2008)
Minimum Engine
5.1.00
Description Added
05/11/2008
Description Modified
05/11/2008 8:53 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

Upon execution, the infected files drops and loads the dll file in to the temp path:

%UserProfile%\Local Settings\Temp\{random characters}.tmp 33,280 bytes (detected as Generic.dx)

(where %UserProfile% is the default profile folder for the current user, for example C:\Documents and Settings\<USERNAME> )

This dll file searches for executable files on the infected machine to append its viral code. Then it attempts to download files from the following URL(unavailable at the time of writing).

  • http://[removed]update.black88.net/update.exe
  • http://[removed].bmwwindowss.cn/x.exe
  • http://[removed].810810.org/

It also retrieves a file list from the following URL.

  • http://www.zhaoyou8.com/[removed]/down.txt

Then it downloads files in the list. This virus also attempts to terminates the following processes:

  • kav.exe
  • kv.exe
  • avp.exe
  • rav.exe
  • KVSrvXP.exe
  • KVSrvXP_1.exe
  • Mcshield.exe
  • 360Safe.exe

Symptoms

  • Presence of aforementioned files
  • Increase in size of executable files
  • HTTP network traffic to the aforementioned web address

Method of Infection

W32/Stayt.a is a file infecting virus. It searches for executable files on the infected machine to append its viral code.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This detection is for a Win32 parasitic virus variant that infects Windows portable executable (PE) files.  It also download malware from sites.

Aliases

  • PE_STAYT.A (Trendmicro)
  • Win32.Agent.az (Kaspersky)
  • Win32/Wmb.A (Microsoft)

Characteristics

Characteristics -

Upon execution, the infected files drops and loads the dll file in to the temp path:

%UserProfile%\Local Settings\Temp\{random characters}.tmp 33,280 bytes (detected as Generic.dx)

(where %UserProfile% is the default profile folder for the current user, for example C:\Documents and Settings\<USERNAME> )

This dll file searches for executable files on the infected machine to append its viral code. Then it attempts to download files from the following URL(unavailable at the time of writing).

  • http://[removed]update.black88.net/update.exe
  • http://[removed].bmwwindowss.cn/x.exe
  • http://[removed].810810.org/

It also retrieves a file list from the following URL.

  • http://www.zhaoyou8.com/[removed]/down.txt

Then it downloads files in the list. This virus also attempts to terminates the following processes:

  • kav.exe
  • kv.exe
  • avp.exe
  • rav.exe
  • KVSrvXP.exe
  • KVSrvXP_1.exe
  • Mcshield.exe
  • 360Safe.exe

Symptoms

Symptoms -

  • Presence of aforementioned files
  • Increase in size of executable files
  • HTTP network traffic to the aforementioned web address

Method of Infection

Method of Infection -

W32/Stayt.a is a file infecting virus. It searches for executable files on the infected machine to append its viral code.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A