stivc.exe

  • Thread starter Thread starter Steve Pope
  • Start date Start date
S

Steve Pope

My firewall warned me that windows/system/stivc.exe was trying to
access the net; a bit of googling suggests that this is a
trojan, it should be deleted (which I did), and references to
it in the Windows 95 registry should be removed (which I
did not do, but they do not seem to be causing a problem).

NAV does not consider this file a virus. It has not re-appeared.

Is this a known virus, and is there anything else I should do
about it?

Thanks
Steve
 
From: "Steve Pope" <[email protected]>

| My firewall warned me that windows/system/stivc.exe was trying to
| access the net; a bit of googling suggests that this is a
| trojan, it should be deleted (which I did), and references to
| it in the Windows 95 registry should be removed (which I
| did not do, but they do not seem to be causing a problem).
|
| NAV does not consider this file a virus. It has not re-appeared.
|
| Is this a known virus, and is there anything else I should do
| about it?
|
| Thanks
| Steve

Are you running Win95 ?

Please submit a sample of "stivc.exe" to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against 18 different AV vendor's scanners.
That will give you an idea what it is and who recognizes it. In addition, unless told
otherwise, Virus Total will provide the sample to all paricipating vendors.

When you get the report, please post back the exact reults.

Please execute; notepad c:\windows\system.ini

in the [boot] section Look for...
shell=

it should be
shell=Explorer.exe

If it is...
shell=Explorer.exe c:\windows\system\stivc.exe
or anything else...

Change it to...
shell=Explorer.exe

Then reboot the PC.
 
Please submit a sample of "stivc.exe" to Virus Total --
Click to expand...

I discovered a stivc.exe file on the internet and uploaded it
to VT. The result was quite interesting:

This is a report processed by VirusTotal on 12/11/2005
at 22:49:10 (CET) after scanning the file "stivc.exe" file.

AntiVir no virus found
Avast no virus found
AVG no virus found
Avira no virus found
BitDefender BehavesLike:Win32.ExplorerHijack
CAT-QuickHeal no virus found
ClamAV no virus found
DrWeb DLOADER.Trojan
eTrust-Iris no virus found
eTrust-Vet no virus found
Fortinet suspicious
F-Prot no virus found
Kaspersky no virus found
McAfee no virus found
NOD32v2 probably unknown NewHeur_PE virus
Norman no virus found
Panda Bck/Agent.AXY
Sophos no virus found
Symantec no virus found
TheHacker no virus found
VBA32 suspected of Trojan-Dropper.Delf.40

Since most detections appear to be heuristic, it looks like the
file I found is either new malware or a new variant of something or
other. That's not to say, of course, that the file I found is the
same one that gave the OP trouble.

Art

http://home.epix.net/~artnpeg
 
David H. Lipman said:
Are you running Win95 ?
Click to expand...

Yes, WIN95B.
Please submit a sample of "stivc.exe" to Virus Total [..]
When you get the report, please post back the exact reults.
Click to expand...

Similar to the results Art obtained:

Scan results
File: stivc.exe
Date: 12/11/2005 23:16:59 (CET)
----
AntiVir 6.33.0.61/20051209 found nothing
Avast 4.6.695.0/20051210 found nothing
AVG 718/20051208 found nothing
Avira 6.33.0.61/20051209 found nothing
BitDefender 7.2/20051211 found [BehavesLike:Win32.ExplorerHijack]
CAT-QuickHeal 8.00/20051209 found nothing
ClamAV devel-20051108/20051209 found nothing
DrWeb 4.33/20051211 found [DLOADER.Trojan]
eTrust-Iris 7.1.194.0/20051211 found nothing
eTrust-Vet 11.9.1.0/20051209 found nothing
Fortinet 2.54.0.0/20051210 found [suspicious]
F-Prot 3.16c/20051209 found nothing
Ikarus 0.2.59.0/20051211 found nothing
Kaspersky 4.0.2.24/20051211 found [Backdoor.Win32.Agent.qn]
McAfee 4647/20051209 found nothing
NOD32v2 1.1318/20051211 found [probably unknown NewHeur_PE virus]
Norman 5.70.10/20051209 found nothing
Panda 8.02.00/20051211 found [Bck/Agent.AXY]
Sophos 4.00.0/20051211 found nothing
Symantec 8.0/20051211 found nothing
TheHacker 5.9.1.052/20051209 found nothing
VBA32 3.10.5/20051209 found [suspected of Trojan-Dropper.Delf.40]
Please execute; notepad c:\windows\system.ini
Click to expand...

No references to the virus in system.ini, just in the registry.

Thanks,
Steve
 
David H. Lipman said:
Are you running Win95 ?
Click to expand...

Yes, WIN95B.
Please submit a sample of "stivc.exe" to Virus Total [..]
When you get the report, please post back the exact reults.
Click to expand...

Similar to the results Art obtained:
Click to expand...

<snip results>

Similar but significantly different since Kaspersky doesn't alert on
the file I found. I tried scanning with KAV several different ways
(including the use of their online file scanner) ... and the results
were always nil. I've submitted the file to Kaspersky for analysis,
and I will report back when I hear from them. Of course, submissions
to Virus Total are supposed to be passed on to the av vendors, but
I sometimes submit suspect files myself just to make sure.

Art

http://home.epix.net/~artnpeg
 
From: "Steve Pope" <[email protected]>


< VT report snipped >

||
| No references to the virus in system.ini, just in the registry.
|
| Thanks,
| Steve

Please note exactly where in the Registry STIVC.EXE is found.
 
From: "Art" <[email protected]>


|
| <snip results>
|
| Similar but significantly different since Kaspersky doesn't alert on
| the file I found. I tried scanning with KAV several different ways
| (including the use of their online file scanner) ... and the results
| were always nil. I've submitted the file to Kaspersky for analysis,
| and I will report back when I hear from them. Of course, submissions
| to Virus Total are supposed to be passed on to the av vendors, but
| I sometimes submit suspect files myself just to make sure.
|
| Art
|
| http://home.epix.net/~artnpeg

Yes, they are supposed to be distributed but I get faster responses by direct submissions to
AV vendors.
 
My firewall warned me that windows/system/stivc.exe was trying to
access the net; a bit of googling suggests that this is a
trojan, it should be deleted (which I did), and references to
it in the Windows 95 registry should be removed (which I
did not do, but they do not seem to be causing a problem).

NAV does not consider this file a virus. It has not re-appeared.

Is this a known virus, and is there anything else I should do
about it?
Click to expand...

I heard back from Kaspersky on the stivc.exe file I submitted to them,
and they replied that "new malicious code" was found and that
detection would be included in the next update.

It seems your firewall may have prevented your system from being
hacked, so your personal data may still be personal :)

Do you have any idea how you got hit?

Art

http://home.epix.net/~artnpeg
 
Art said:
It seems your firewall may have prevented your system from being
hacked, so your personal data may still be personal :)

Do you have any idea how you got hit?
Click to expand...

No, other than that since I don't process email on this
(or any other) windows machine, the virus must have been on a webpage.

Thanks --

Steve
 
Steve said:
My firewall warned me that windows/system/stivc.exe was trying to
access the net; a bit of googling suggests that this is a
trojan, it should be deleted (which I did), and references to
it in the Windows 95 registry should be removed (which I
did not do, but they do not seem to be causing a problem).

NAV does not consider this file a virus. It has not re-appeared.

Is this a known virus, and is there anything else I should do
about it?

Thanks
Steve
Click to expand...

Do you have an HP scanner installed on your computer? I think it is
related to that.
 
David H. Lipman said:
Please note exactly where in the Registry STIVC.EXE is found.
Click to expand...

Three places. I am not knowledgeable on registry matters. Thanks.

Steve

My Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Doc Find Spec MRU

(where it is the value for field "h")

My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

(where it is the value for field "Shell")


My Computer\HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\Doc Find Spec MRU

(where it is the value for field "h")
 
From: "Steve Pope" <[email protected]>

|
| Three places. I am not knowledgeable on registry matters. Thanks.
|
| Steve
|
| My Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Doc Find
| Spec MRU
|
| (where it is the value for field "h")
|
| My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
|
| (where it is the value for field "Shell")
|
| My Computer\HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\Doc
| Find Spec MRU
|
| (where it is the value for field "h")

OK. The MRUs are nothing to worry about.

You are saything this...

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"shell"= "c:\windows\system32\stivc.exe"

it wasn't the following ?

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
"Shell"="Explorer.exe c:\windows\system32\stivc.exe"
 
From: "Steve Pope" <[email protected]>

??>> Please note exactly where in the Registry STIVC.EXE is found.

| Three places. I am not knowledgeable on registry matters. Thanks.

| Steve

< snip >

This is what I got from Sophos Today...


Troj/Agent-FN is a Trojan for the Windows platform.

Troj/Agent-FN includes functionality to download, install and run new
software.

When first run Troj/Agent-FN copies itself to:

<System>\ntdsapp.dll
<System>\stivc.exe

and creates the following files:

<System>\delttsul.exe
<System>\imgcom.dll

where imgcom.dll is a file containing a set of URLs and may safely be
deleted.

The following registry entry is changed to run stivc.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe <System>\stivc.exe

(the default value for this registry entry is "Explorer.exe" which
causes the Microsoft file <Windows>\Explorer.exe to be run on
startup).

Troj/Agent-FN changes settings for Microsoft Internet Explorer by
modifying values under:

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\
 
David H. Lipman said:
The MRUs are nothing to worry about.
Click to expand...

Thanks. ("most recently used"?)
You are saything this...
Click to expand...
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"shell"= "c:\windows\system32\stivc.exe"
Click to expand...
it wasn't the following ?
Click to expand...
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
"Shell"="Explorer.exe c:\windows\system32\stivc.exe"
Click to expand...

No, it wasnt.

Thanks
Steve
 
David H. Lipman said:
This is what I got from Sophos Today...
Click to expand...
Troj/Agent-FN is a Trojan for the Windows platform.

Troj/Agent-FN includes functionality to download, install and run new
software.

When first run Troj/Agent-FN copies itself to:

<System>\ntdsapp.dll
<System>\stivc.exe

and creates the following files:

<System>\delttsul.exe
<System>\imgcom.dll

where imgcom.dll is a file containing a set of URLs and may safely be
deleted.
Click to expand...

Yes, the other three files mentioned above were also on my
machine. I deleted them with no apparent side effects.

Steve
 
On that special day, Steve Pope, ([email protected]) said...
Yes, the other three files mentioned above were also on my
machine. I deleted them with no apparent side effects.
Click to expand...

Are you sure those files didn't invite "guests" or procure "children"?

Trojans are like roaches, it is hard to get rid of them, once they are
inside the house.


Gabriele Neukam

(e-mail address removed)
 
From: "Steve Pope" <[email protected]>


|
| No, I'm not sure. I appreciate the advice I've received here
| on this trojan, and any other tips on making sure my machine is
| clean.
|
| Thanks,
| Steve

You can scan you PC with the following tool.
I suggest both the McAfee and Kaspersky modules.

Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm


* * * Please report back your results * * *
 
I discovered a stivc.exe file on the internet and uploaded it
to VT. The result was quite interesting:

This is a report processed by VirusTotal on 12/11/2005
at 22:49:10 (CET) after scanning the file "stivc.exe" file.

AntiVir no virus found
Avast no virus found
AVG no virus found
Avira no virus found
BitDefender BehavesLike:Win32.ExplorerHijack
CAT-QuickHeal no virus found
ClamAV no virus found
DrWeb DLOADER.Trojan
eTrust-Iris no virus found
eTrust-Vet no virus found
Fortinet suspicious
F-Prot no virus found
Kaspersky no virus found
McAfee no virus found
NOD32v2 probably unknown NewHeur_PE virus
Norman no virus found
Panda Bck/Agent.AXY
Sophos no virus found
Symantec no virus found
TheHacker no virus found
VBA32 suspected of Trojan-Dropper.Delf.40
Click to expand...

Four days later here's the VT result:

This is a report processed by VirusTotal on 12/15/2005
at 18:29:00 (CET) after scanning the file "stivc.exe" file.

AntiVir BDS/Agent.QN
Avast Win32:Trojano-3095
AVG BackDoor.Agent.VH
Avira BDS/Agent.QN
BitDefender Backdoor.Agent.QN
CAT-QuickHeal Backdoor.Agent.qn
ClamAV no virus found
DrWeb DLOADER.Trojan
eTrust-Iris Win32/StartPage.Vall.57856!Troja
eTrust-Vet Win32/Startpage.SZ
Fortinet W32/Agent.FN!tr
F-Prot security risk named W32/Backdoor.HKT
Ikarus Backdoor.Win32.Agent.QN
Kaspersky Backdoor.Win32.Agent.qn
McAfee StartPage-CL
NOD32v2 probably unknown NewHeur_PE virus
Norman W32/Agent.LFS
Panda Bck/Agent.AXY
Sophos Troj/Agent-FN
Symantec no virus found
TheHacker Backdoor/Agent.qn
VBA32 Backdoor.Win32.Agent.qn

So after four days, clamav and NAV still have no detection. Neither
does NOD32 have a sig. It's still doing a heuristic type alert. I had
submitted to Kaspersky and I know that David Lipman had submitted to
Sophos (at least). Other than those, I don't know which vendors
received submissions from individuals. But Virus Total is supposed
to pass on the samples to vendors. Looks to me like that process
is not very swift and reliable. Neither is the alleged sample sharing
between vendors.

Art

http://home.epix.net/~artnpeg
 
Back
Top