found it at my antivirus Pc-cillin.com
Description
Solution Risk rating: Low
Virus type: Worm
Destructive: Yes
Aliases: STATOR.A, Stator Virus
Description:
This Worm modifies the registry so that it executes when an EXE file is opened. It replaces the extension of EXE files to VXD. It then copies itself to the EXE file and executes the backed-up VXD file. The executed file then runs normally. Its backdoor component allows a hacker to remotely access an infected system. It is disguised as JPEG photo file that displays a picture of a woman when executed. This was coded in Borland Delphi.
Solution:
Click START|FIND|Find Files or Folders...
Type REGEDIT.EXE in the text box and then click on the button Find Now.
Highlight the found file and press F2 to rename the extension COM. If prompted to continue with rename, click on YES.
Double click on the renamed REGEDIT and delete the below registry entries:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run\
ScanRegistry="C:\%winsysdir%\Scanregw.exe "%1"%*"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\RunServices\
ScanRegistry="C:\%winsysdir%\Scanregw.exe "%1"%*"
Modify the below registry key command:HKEY_LOCAL_MACHINE\Software\Classes\exefile\Shell\
Open\Command
From:
(Default)="C:\%winsysdir%\loadpe.com "%1"%*"
To:
(Default)=""%1"%*"
Redo the above procedure with the registry keys:
HKEY_CLASSES_ROOT \exefile\Shell\ Open\
Command
Exit the registry
Search for the EXE files that were modified to have the VXD extension
Rename the files to their EXE file extension.
Reset your system
Scan your system with Trend antivirus and delete all files detected as WORM_STATOR.A. To do this, Trend customers must download the latest pattern fieand scan their system. Other email users may use Trend HouseCall, a free online virus scanner.
ADD: Or just get an antivirus scan... delet and edit the registry
