Home / malware Win32.Stufik.A
First posted on 21 November 2011.
Source: BitDefenderAliases :
Win32.Stufik.A is also known as Tufik.
Explanation :
The file infector is a 2 part infection type. Each executable is infected with a piece of code that tryes to download from the address: http://www.365xinyu.com/... a file that actualy makes the infection. The infection creates the directory C:windows emp if it doesn't exist and copyes itself there and starts the execution.
It also copyes itself in C:Windows as alg.exe and in C:lsass.bbb. The file stores in at the position 0xDA the current generation of the infection.
It then creates the key:
HK_LMSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRunlsass that stores the path of the downloaded file to be executed at startup. This file is executed and infects all the executables from all accesible drives with the code that is responsable for the download.Last update 21 November 2011