W32.Stemclover
W32.Stemclover can drop a copy of VBS.Stemclover onto the computer. It spreads by copying itself to network shares and removable media storage devices. W32.Stemclover is also capable of modifying registry entry to allow itself to run every time Windows is started. When executed, it may display the following text messages:
Aniee sayang….
Semua yang kulakukan hanya untuk kamu
tapi rasa rindu tidak bisa aku sembunyikan
Perasaan ini sudah gak kuat untuk melepaskan kerinduan ini
Aku sangat merindukan kehadiran kamu disisiku
Salam sayang selalu
Damage Level: Medium
Systems Affected: Windows 9x, 2000, XP, Vista, Windows 7
First Aid to Stop W32.Stemclover:
When W32.Stemclover virus infects a computer, it will modify system settings and inject itself to legitimate Windows files. System Restore is the tool-to-go-to in bringing back clean files and restoring earlier configuration. If you have saved previous restore point, please restore Windows to an earlier date.
Manual Removal of W32.Stemclover:
1. If an anti-virus program is present, update the definition file.
2. Reboot Windows in Safe Mode
- After turning on the power, press F8 on the keyboard.
- From the menu, select Safe Mode.
3. Run a full system scan and clean/delete all infected file(s).
4. Delete/Modify any values added to the registry if present.
- To edit the registry, click on Start. Search or Run regedit.exe.
Note: For a complete guide on Safe Mode and Registry Editor, please see tutorial links on the sidebar.
5. Exit registry editor and restart Windows.
Additional Tools and Programs:
Scan with Norton Power Eraser:
A free removal tool from Norton Antivirus was developed to remove virus and unfamiliar threats without using the traditional AV signatures. Download the tool from this location and start scanning the computer for viruses.
Technical Details and Additional Information:
Other functionalities of this Trojan:
- The worm will search for shared folders and duplicate it with an executable file.
- It will drop another threat and malicious files.
Malicious Files Added by W32.Stemclover:
%Windir%\system23\aniee.exe
%System%\hanny.exe
Associated Windows Registry Entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Run\”winsystem” = “C:\WINDOWS\system23\aniee.exe”
HKEY_USERS\S-1-5-21-220523388-1844823847-682003330-500\Software \Microsoft\Windows\Current Version\Run\”Microfost” = “C:\WINDOWS\system32\hanny.exe”