stivc.exe

[Steve Pope]

My firewall warned me that windows/system/stivc.exe was trying to
access the net; a bit of googling suggests that this is a
trojan, it should be deleted (which I did), and references to
it in the Windows 95 registry should be removed (which I
did not do, but they do not seem to be causing a problem).

NAV does not consider this file a virus. It has not re-appeared.

Is this a known virus, and is there anything else I should do
about it?

Thanks
Steve

 

[David H. Lipman]

From: "Steve Pope" <[email protected]>

| My firewall warned me that windows/system/stivc.exe was trying to
| access the net; a bit of googling suggests that this is a
| trojan, it should be deleted (which I did), and references to
| it in the Windows 95 registry should be removed (which I
| did not do, but they do not seem to be causing a problem).
|
| NAV does not consider this file a virus. It has not re-appeared.
|
| Is this a known virus, and is there anything else I should do
| about it?
|
| Thanks
| Steve

Are you running Win95 ?

Please submit a sample of "stivc.exe" to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against 18 different AV vendor's scanners.
That will give you an idea what it is and who recognizes it. In addition, unless told
otherwise, Virus Total will provide the sample to all paricipating vendors.

When you get the report, please post back the exact reults.

Please execute; notepad c:\windows\system.ini

in the [boot] section Look for...
shell=

it should be
shell=Explorer.exe

If it is...
shell=Explorer.exe c:\windows\system\stivc.exe
or anything else...

Change it to...
shell=Explorer.exe

Then reboot the PC.

 

[Art]

Please submit a sample of "stivc.exe" to Virus Total --

I discovered a stivc.exe file on the internet and uploaded it
to VT. The result was quite interesting:

This is a report processed by VirusTotal on 12/11/2005
at 22:49:10 (CET) after scanning the file "stivc.exe" file.

AntiVir no virus found
Avast no virus found
AVG no virus found
Avira no virus found
BitDefender BehavesLike:Win32.ExplorerHijack
CAT-QuickHeal no virus found
ClamAV no virus found
DrWeb DLOADER.Trojan
eTrust-Iris no virus found
eTrust-Vet no virus found
Fortinet suspicious
F-Prot no virus found
Kaspersky no virus found
McAfee no virus found
NOD32v2 probably unknown NewHeur_PE virus
Norman no virus found
Panda Bck/Agent.AXY
Sophos no virus found
Symantec no virus found
TheHacker no virus found
VBA32 suspected of Trojan-Dropper.Delf.40

Since most detections appear to be heuristic, it looks like the
file I found is either new malware or a new variant of something or
other. That's not to say, of course, that the file I found is the
same one that gave the OP trouble.

Art

http://home.epix.net/~artnpeg

 

[Steve Pope]

Are you running Win95 ?

Yes, WIN95B.

Please submit a sample of "stivc.exe" to Virus Total [..]
When you get the report, please post back the exact reults.

Similar to the results Art obtained:

Scan results
File: stivc.exe
Date: 12/11/2005 23:16:59 (CET)
----
AntiVir 6.33.0.61/20051209 found nothing
Avast 4.6.695.0/20051210 found nothing
AVG 718/20051208 found nothing
Avira 6.33.0.61/20051209 found nothing
BitDefender 7.2/20051211 found [BehavesLike:Win32.ExplorerHijack]
CAT-QuickHeal 8.00/20051209 found nothing
ClamAV devel-20051108/20051209 found nothing
DrWeb 4.33/20051211 found [DLOADER.Trojan]
eTrust-Iris 7.1.194.0/20051211 found nothing
eTrust-Vet 11.9.1.0/20051209 found nothing
Fortinet 2.54.0.0/20051210 found [suspicious]
F-Prot 3.16c/20051209 found nothing
Ikarus 0.2.59.0/20051211 found nothing
Kaspersky 4.0.2.24/20051211 found [Backdoor.Win32.Agent.qn]
McAfee 4647/20051209 found nothing
NOD32v2 1.1318/20051211 found [probably unknown NewHeur_PE virus]
Norman 5.70.10/20051209 found nothing
Panda 8.02.00/20051211 found [Bck/Agent.AXY]
Sophos 4.00.0/20051211 found nothing
Symantec 8.0/20051211 found nothing
TheHacker 5.9.1.052/20051209 found nothing
VBA32 3.10.5/20051209 found [suspected of Trojan-Dropper.Delf.40]

Please execute; notepad c:\windows\system.ini

No references to the virus in system.ini, just in the registry.

Thanks,
Steve

 

[Art]

Are you running Win95 ?

Yes, WIN95B.

Please submit a sample of "stivc.exe" to Virus Total [..]
When you get the report, please post back the exact reults.

Similar to the results Art obtained:

<snip results>

Similar but significantly different since Kaspersky doesn't alert on
the file I found. I tried scanning with KAV several different ways
(including the use of their online file scanner) ... and the results
were always nil. I've submitted the file to Kaspersky for analysis,
and I will report back when I hear from them. Of course, submissions
to Virus Total are supposed to be passed on to the av vendors, but
I sometimes submit suspect files myself just to make sure.

Art

http://home.epix.net/~artnpeg

 

[David H. Lipman]

From: "Steve Pope" <[email protected]>


< VT report snipped >

||
| No references to the virus in system.ini, just in the registry.
|
| Thanks,
| Steve

Please note exactly where in the Registry STIVC.EXE is found.

 

[David H. Lipman]

From: "Art" <[email protected]>


|
| <snip results>
|
| Similar but significantly different since Kaspersky doesn't alert on
| the file I found. I tried scanning with KAV several different ways
| (including the use of their online file scanner) ... and the results
| were always nil. I've submitted the file to Kaspersky for analysis,
| and I will report back when I hear from them. Of course, submissions
| to Virus Total are supposed to be passed on to the av vendors, but
| I sometimes submit suspect files myself just to make sure.
|
| Art
|
| http://home.epix.net/~artnpeg

Yes, they are supposed to be distributed but I get faster responses by direct submissions to
AV vendors.

 

[Art]

My firewall warned me that windows/system/stivc.exe was trying to
access the net; a bit of googling suggests that this is a
trojan, it should be deleted (which I did), and references to
it in the Windows 95 registry should be removed (which I
did not do, but they do not seem to be causing a problem).

NAV does not consider this file a virus. It has not re-appeared.

Is this a known virus, and is there anything else I should do
about it?

I heard back from Kaspersky on the stivc.exe file I submitted to them,
and they replied that "new malicious code" was found and that
detection would be included in the next update.

It seems your firewall may have prevented your system from being
hacked, so your personal data may still be personal

Do you have any idea how you got hit?

Art

http://home.epix.net/~artnpeg

 

[Steve Pope]

It seems your firewall may have prevented your system from being
hacked, so your personal data may still be personal

Do you have any idea how you got hit?

No, other than that since I don't process email on this
(or any other) windows machine, the virus must have been on a webpage.

Thanks --

Steve

 

[badgolferman]

My firewall warned me that windows/system/stivc.exe was trying to
access the net; a bit of googling suggests that this is a
trojan, it should be deleted (which I did), and references to
it in the Windows 95 registry should be removed (which I
did not do, but they do not seem to be causing a problem).

NAV does not consider this file a virus. It has not re-appeared.

Is this a known virus, and is there anything else I should do
about it?

Thanks
Steve

Do you have an HP scanner installed on your computer? I think it is
related to that.

 

[Steve Pope]

Please note exactly where in the Registry STIVC.EXE is found.

Three places. I am not knowledgeable on registry matters. Thanks.

Steve

My Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Doc Find Spec MRU

(where it is the value for field "h")

My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

(where it is the value for field "Shell")


My Computer\HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\Doc Find Spec MRU

(where it is the value for field "h")

 

[David H. Lipman]

From: "Steve Pope" <[email protected]>

|
| Three places. I am not knowledgeable on registry matters. Thanks.
|
| Steve
|
| My Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Doc Find
| Spec MRU
|
| (where it is the value for field "h")
|
| My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
|
| (where it is the value for field "Shell")
|
| My Computer\HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\Doc
| Find Spec MRU
|
| (where it is the value for field "h")

OK. The MRUs are nothing to worry about.

You are saything this...

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"shell"= "c:\windows\system32\stivc.exe"

it wasn't the following ?

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
"Shell"="Explorer.exe c:\windows\system32\stivc.exe"

 

[David H. Lipman]

From: "Steve Pope" <[email protected]>

??>> Please note exactly where in the Registry STIVC.EXE is found.

| Three places. I am not knowledgeable on registry matters. Thanks.

| Steve

< snip >

This is what I got from Sophos Today...


Troj/Agent-FN is a Trojan for the Windows platform.

Troj/Agent-FN includes functionality to download, install and run new
software.

When first run Troj/Agent-FN copies itself to:

<System>\ntdsapp.dll
<System>\stivc.exe

and creates the following files:

<System>\delttsul.exe
<System>\imgcom.dll

where imgcom.dll is a file containing a set of URLs and may safely be
deleted.

The following registry entry is changed to run stivc.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe <System>\stivc.exe

(the default value for this registry entry is "Explorer.exe" which
causes the Microsoft file <Windows>\Explorer.exe to be run on
startup).

Troj/Agent-FN changes settings for Microsoft Internet Explorer by
modifying values under:

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\

 

[Steve Pope]

The MRUs are nothing to worry about.

Thanks. ("most recently used"?)

You are saything this...

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"shell"= "c:\windows\system32\stivc.exe"

it wasn't the following ?

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
"Shell"="Explorer.exe c:\windows\system32\stivc.exe"

No, it wasnt.

Thanks
Steve

 

[Steve Pope]

This is what I got from Sophos Today...

Troj/Agent-FN is a Trojan for the Windows platform.

Troj/Agent-FN includes functionality to download, install and run new
software.

When first run Troj/Agent-FN copies itself to:

<System>\ntdsapp.dll
<System>\stivc.exe

and creates the following files:

<System>\delttsul.exe
<System>\imgcom.dll

where imgcom.dll is a file containing a set of URLs and may safely be
deleted.

Yes, the other three files mentioned above were also on my
machine. I deleted them with no apparent side effects.

Steve

 

[Pekka de Groot]

Do you have an HP scanner installed on your computer? I think it is
related to that.

I think you might confuse this file with stisvc.exe (Still Image
Devices Monitor from MS).

http://www.processlibrary.com/directory/files/stisvc/

Cheers,

Pekka de G.

 

[Gabriele Neukam]

On that special day, Steve Pope, ([email protected]) said...

Yes, the other three files mentioned above were also on my
machine. I deleted them with no apparent side effects.

Are you sure those files didn't invite "guests" or procure "children"?

Trojans are like roaches, it is hard to get rid of them, once they are
inside the house.


Gabriele Neukam

(e-mail address removed)

 

[Steve Pope]

Steve Pope, ([email protected]) said...

Are you sure those files didn't invite "guests" or procure "children"?

No, I'm not sure. I appreciate the advice I've received here
on this trojan, and any other tips on making sure my machine is
clean.

Thanks,
Steve

 

[David H. Lipman]

From: "Steve Pope" <[email protected]>


|
| No, I'm not sure. I appreciate the advice I've received here
| on this trojan, and any other tips on making sure my machine is
| clean.
|
| Thanks,
| Steve

You can scan you PC with the following tool.
I suggest both the McAfee and Kaspersky modules.

Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm


* * * Please report back your results * * *

 

[Art]

I discovered a stivc.exe file on the internet and uploaded it
to VT. The result was quite interesting:

This is a report processed by VirusTotal on 12/11/2005
at 22:49:10 (CET) after scanning the file "stivc.exe" file.

AntiVir no virus found
Avast no virus found
AVG no virus found
Avira no virus found
BitDefender BehavesLike:Win32.ExplorerHijack
CAT-QuickHeal no virus found
ClamAV no virus found
DrWeb DLOADER.Trojan
eTrust-Iris no virus found
eTrust-Vet no virus found
Fortinet suspicious
F-Prot no virus found
Kaspersky no virus found
McAfee no virus found
NOD32v2 probably unknown NewHeur_PE virus
Norman no virus found
Panda Bck/Agent.AXY
Sophos no virus found
Symantec no virus found
TheHacker no virus found
VBA32 suspected of Trojan-Dropper.Delf.40

Four days later here's the VT result:

This is a report processed by VirusTotal on 12/15/2005
at 18:29:00 (CET) after scanning the file "stivc.exe" file.

AntiVir BDS/Agent.QN
Avast Win32:Trojano-3095
AVG BackDoor.Agent.VH
Avira BDS/Agent.QN
BitDefender Backdoor.Agent.QN
CAT-QuickHeal Backdoor.Agent.qn
ClamAV no virus found
DrWeb DLOADER.Trojan
eTrust-Iris Win32/StartPage.Vall.57856!Troja
eTrust-Vet Win32/Startpage.SZ
Fortinet W32/Agent.FN!tr
F-Prot security risk named W32/Backdoor.HKT
Ikarus Backdoor.Win32.Agent.QN
Kaspersky Backdoor.Win32.Agent.qn
McAfee StartPage-CL
NOD32v2 probably unknown NewHeur_PE virus
Norman W32/Agent.LFS
Panda Bck/Agent.AXY
Sophos Troj/Agent-FN
Symantec no virus found
TheHacker Backdoor/Agent.qn
VBA32 Backdoor.Win32.Agent.qn

So after four days, clamav and NAV still have no detection. Neither
does NOD32 have a sig. It's still doing a heuristic type alert. I had
submitted to Kaspersky and I know that David Lipman had submitted to
Sophos (at least). Other than those, I don't know which vendors
received submissions from individuals. But Virus Total is supposed
to pass on the samples to vendors. Looks to me like that process
is not very swift and reliable. Neither is the alleged sample sharing
between vendors.

Art

http://home.epix.net/~artnpeg