Virus:Worm/Stration.B.1
Date discovered:24/08/2006
Type:Worm
In the wild:No
Reported Infections:Low
Distribution Potential:Medium
Damage Potential:Medium
Static file:Yes
File size:86.048 Bytes
MD5 checksum:f973b4c2739d8344d1eb2b7185f55ab0
VDF version:6.35.01.135
IVDF version:6.35.01.138 - Friday, August 25, 2006

 General Method of propagation:
   • Email


Aliases:
   •  Mcafee: W32/Stration@MM
   •  Kaspersky: Trojan-Downloader.Win32.Agent.atq
   •  F-Secure: Trojan-Downloader.Win32.Agent.atq
   •  Sophos: W32/Stration-E
   •  VirusBuster: Trojan.Opnis.AA
   •  Eset: Win32/Stration.C
   •  Bitdefender: Win32.HLLW.Stration.A


Platforms / OS:
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads a malicious file
   • Uses its own Email engine


Right after execution it runs a windows application which will display the following window:


 Files It copies itself to the following location:
   • %WINDIR%\svchost32.exe



The following files are created:

– Non malicious file:
   • %WINDIR%\svchost32.xml

%malware execution directory%\%hex number%.tmp This is a non malicious text file with the following content:
   • %random character string%




It tries to download a file:

– The location is the following:
   • http://gadesunheranwui.com/chr/jjjk/**********
It is saved on the local hard drive under: %TEMPDIR%\~%hex number%.tmp Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too.

 Registry The following registry key is changed:

– HKLM\SYSTEM\CurrentControlSet\Control\Session Manager
   New value:
   • "PendingFileRenameOperations"="\??\%WINDIR%\svchost32.exe"

 Email It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:


From:
The sender address is spoofed.
Generated addresses. Please do not assume that it was the sender's intention to send this email to you. He might not know about his infection or might not even be infected at all. Furthermore it is possible that you will receive bounced emails telling you that you are infected. This might also not be the case.


To:
– Email addresses found in specific files on the system.
– Generated addresses


Subject:
One of the following:
   • Error
   • Good day
   • hello
   • Mail Delivery System
   • Mail Transaction Failed
   • picture
   • Server Report
   • Status
   • test



Body:
The body of the email is one of the lines:
   • The message cannot be represented in 7-bit ASCII encodingand has been sent as a binary attachment
   • The message contains Unicode characters and has been sentas a binary attachment.
   • Mail transaction failed. Partial message is available.


Attachment:
The filenames of the attachments is constructed out of the following:

–  It starts with one of the following:
   • body
   • data
   • doc
   • docs
   • document
   • file
   • message
   • readme
   • test
   • text

    Continued by one of the following fake extensions:
   • dat
   • elm
   • log
   • msg
   • txt

    The file extension is one of the following:
   • bat
   • cmd
   • exe
   • pif
   • scr



Here are a few examples of how the filename of the attachment might look like:
   • message.msg.exe
   • docs.txt.cmd
   • test.log.bat

The attachment is a copy of the malware itself.

 Mailing Search addresses:
It searches the following files for email addresses:
   • xml; xls; wsh; wab; uin; txt; tbb; stm; shtm; sht; php; oft; ods; nch;
      msg; mmf; mht; mdx; mbx; jsp; html; htm; eml; dhtm; dbx; cgi; cfg;
      asp; adb

 Backdoor Contact server:
The following:
   • http://gadesunheranwui.com/**********

As a result it may send some information. This is done via the HTTP POST method using a CGI script.

 File details Programming language:
 The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • MEW 11

Description inserted by Teodor Onisor on Tuesday, August 29, 2006
Description updated by Teodor Onisor on Thursday, September 14, 2006

Back . . . .