Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:Worm/Stration.C
Date discovered:19/09/2006
Type:Worm
In the wild:No
Reported Infections:Low
Distribution Potential:Medium
Damage Potential:Medium
Static file:No
File size:~115.000 Bytes
VDF version:6.36.00.33
IVDF version:6.36.00.43 - Thursday, September 21, 2006

 General Method of propagation:
   • Email


Alias:
   •  Kaspersky: Email-Worm.Win32.Warezov.at
   •  Sophos: W32/Stratio-AN


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads files
   • Drops malicious files
   • Uses its own Email engine
   • Registry modification
   • Steals information
   • Third party control


Right after execution it runs a windows application which will display the following window:


 Files It copies itself to the following location:
   • %WINDIR%\t2serv.exe



The following files are created:

Non malicious files:
   • %malware execution directory%\10.tmp
   • %WINDIR%\tserv.s

– A file that contains collected email addresses:
   • %WINDIR%\t2serv.wax

%SYSDIR%\cscdgcde.dll Further investigation pointed out that this file is malware, too.
%SYSDIR%\esenmqtr.dll Further investigation pointed out that this file is malware, too.
%SYSDIR%\esenprfl.dll Further investigation pointed out that this file is malware, too.
%SYSDIR%\e1.dll Further investigation pointed out that this file is malware, too.
%WINDIR%\t2serv.dll Further investigation pointed out that this file is malware, too.



It tries to download some files:

The location is the following:
   • http://www3.vertionkdaseliplim.com/chr/grv/**********
It is saved on the local hard drive under: %TEMPDIR%\~%number%.tmp Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too.

The location is the following:
   • http://www3.vertionkdaseliplim.com/chr/grv/**********
It is saved on the local hard drive under: %TEMPDIR%\~%number%.tmp Furthermore this file gets executed after it was fully downloaded. At the time of writing this file was not online for further investigation.

 Registry The following registry key is added in order to run the process after reboot:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • t2serv = %WINDIR%\t2serv.exe



The following registry key is changed:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
   Old value:
   • AppInit_DLLs =
   New value:
   • AppInit_DLLs = cscdgcde.dll e1.sll

 Email It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:


From:
Generated addresses. Please do not assume that it was the sender's intention to send this email to you. He might not know about his infection or might not even be infected at all. Furthermore it is possible that you will receive bounced emails telling you that you are infected. This might also not be the case.


To:
– Email addresses found in specific files on the system.
 Email addresses gathered from WAB (Windows Address Book)


Email design:



From: sec@%recipient's domain%
Subject: Mail server report.
Body:
   • Mail server report.
     Our firewall determined the e-mails containing worm copies are being sent from your computer.
     Nowadays it happens from many computers, because this is a new virus type (Network Worms).
     Using the new bug in the Windows, these viruses infect the computer unnoticeably.
     After the penetrating into the computer the virus harvests all the e-mail addresses and sends the copies of itself to these e-mail addresses
     Please install updates for worm elimination and your computer restoring.
     Best regards,
     Customers support service
Attachment:
   • Update-KB%number%-x86.exe



From: secur@%recipient's domain%
Subject: Mail server report.
Body:
   • Mail server report.
     Our firewall determined the e-mails containing worm copies are being sent from your computer.
     Nowadays it happens from many computers, because this is a new virus type (Network Worms).
     Using the new bug in the Windows, these viruses infect the computer unnoticeably.
     After the penetrating into the computer the virus harvests all the e-mail addresses and sends the copies of itself to these e-mail addresses
     Please install updates for worm elimination and your computer restoring.
     Best regards,
     Customers support service
Attachment:
   • Update-KB%number%-x86.exe



From: serv@%recipient's domain%
Subject: Mail server report.
Body:
   • Mail server report.
     Our firewall determined the e-mails containing worm copies are being sent from your computer.
     Nowadays it happens from many computers, because this is a new virus type (Network Worms).
     Using the new bug in the Windows, these viruses infect the computer unnoticeably.
     After the penetrating into the computer the virus harvests all the e-mail addresses and sends the copies of itself to these e-mail addresses
     Please install updates for worm elimination and your computer restoring.
     Best regards,
     Customers support service
Attachment:
   • Update-KB%number%-x86.exe


Subject:
One of the following:
   • Error
   • Good day
   • hello
   • Mail Delivery System
   • Mail Transaction Failed
   • picture
   • Server Report
   • Status
   • test



Body:
The body of the email is one of the lines:
   • Mail transaction failed. Partial message is available.
   • The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment
   • The message contains Unicode characters and has been sent as a binary attachment


Attachment:
The filename of the attachment is constructed out of the following:

–  It starts with one of the following:
   • body
   • data
   • doc
   • docs
   • document
   • file
   • message
   • readme
   • test
   • text

    Sometimes continued by one of the following fake extensions:
   • dat
   • elm
   • log
   • msg
   • txt

    The file extension is one of the following:
   • bat
   • cmd
   • exe
   • pif
   • scr

The attachment is a copy of the malware described here: Worm/Warezov.DLL.C



The email may look like one of the following:



 Mailing Search addresses:
It searches the following file for email addresses:
   • %every *.htm file%

 Backdoor Contact server:
All of the following:
   • http://www3.vertionkdaseliplim.com/cgi-bin/**********
   • http://www3.vertionkdaseliplim.com/cgi-bin/**********

As a result it may send information and remote control could be provided. Besides, it periodically repeats the connection. This is done via the HTTP GET and POST method using a PHP script.

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Andrei Gherman on Monday, September 25, 2006
Description updated by Andrei Gherman on Friday, October 20, 2006

Back . . . .