Virus:Worm/Stration.X
Date discovered:01/09/2006
Type:Worm
In the wild:No
Reported Infections:Low
Distribution Potential:Medium
Damage Potential:Low to medium
Static file:Yes
File size:82.411 Bytes
MD5 checksum:e3cc9c2dd92feb6bad657d887b038156
VDF version:6.35.01.173
IVDF version:6.35.01.177 - Monday, September 4, 2006

 General Method of propagation:
   • Email


Aliases:
   •  Mcafee: W32/Stration@MM
   •  TrendMicro: WORM_STRATION.CD
   •  Sophos: W32/Stration-J
   •  VirusBuster: iworm Trojan.Opnis.AL
   •  Bitdefender: Win32.Worm.Stration.C


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads a malicious file
   • Drops a malicious file
   • Uses its own Email engine
   • Registry modification


Right after execution it runs a windows application which will display the following window:


 Files It copies itself to the following location:
   • %WINDIR%\rsmb32.exe



The following files are created:

– Non malicious files:
   • %WINDIR%\rsmb32.gfx
   • %WINDIR%\rsmb32.z
   • %malware execution directory%\%hex number%.tmp

– A file that contains collected email addresses:
   • %WINDIR%\rsmb32.wax

%WINDIR%\rsmb32.dll Further investigation pointed out that this file is malware, too. Detected as: WORM/Warezov.L


– The location is the following:
   • http://gadesunheranwui.com/chr/zjjk/**********
It is saved on the local hard drive under: %TEMPDIR%\~%hex number%.tmp Furthermore this file gets executed after it was fully downloaded. At the time of writing this file was not online for further investigation.

 Registry The following registry key is added in order to run the process after reboot:

– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   • "rsmb32"="%WINDIR%\rsmb32.exe s"

 Email It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:


From:
Generated addresses. Please do not assume that it was the sender's intention to send this email to you. He might not know about his infection or might not even be infected at all. Furthermore it is possible that you will receive bounced emails telling you that you are infected. This might also not be the case.


To:
– Email addresses found in specific files on the system.


Subject:
One of the following:
   • Error
   • Good day
   • hello
   • Mail Delivery System
   • Mail Transaction Failed
   • picture
   • Server Report
   • Status
   • test



Body:

 
The body of the email is one of the lines:
   • The message contains Unicode characters and has been sentas a binary attachment.
   • The message cannot be represented in 7-bit ASCII encodingand has been sent as a binary attachment
   • Mail transaction failed. Partial message is available.


Attachment:
The filenames of the attachments is constructed out of the following:

–  It starts with one of the following:
   • body
   • data
   • doc
   • docs
   • document
   • file
   • message
   • readme
   • test
   • text

Continued by one of the following:
   • dat
   • elm
   • log
   • msg
   • txt

    Continued by one of the following:
   • bat
   • cmd
   • exe
   • pif
   • scr



Here are a few examples of how the filename of the attachment might look like:
   • document.log.cmd
   • test.log.scr

The attachment is a copy of the malware itself.



The email looks like the following:


 Mailing Search addresses:
It searches the following files for email addresses:
   • asp; cfg; cgi; dbx; eml; htm; jsp; mbx; mdx; mht; mmf; msg; nch; ods;
      oft; php; sht; stm; tbb; txt; uin


Address generation for FROM field:
To generate addresses it uses the following strings:
   • adam; anna; alice; betty; bob; brenda; brent; brian; carol; claudia;
      craig; cyber; dan; dave; david; debby; den; Donna; frank; george;
      gerhard; helen; james; jane; jayson; jerry; jim; joe; john; karen;
      linda; lisa; mancy; maria; ruth; sandra; sharon; Susan

It may combine the first string with one of the following:
   • adams; allen; anderson; baker; carter; clark; garcia; gonzalez; green;
      hall; harris; hernandez; hill; jackson; jeremy; joe; kenneth; king;
      lee; lewis; lopez; martinez; miller; molly; moore; nelson; robinson;
      robyn; rodriguez; scott; shaan; taylor; thomas; thompson; walker;
      white; wilson; wright; young


The domain is one of the following:
   • care2.com; email.myway.com; fastmail.fm; gmail.com; goowy.com;
      hotmail.com; inbox.com; mail.aim.com; mail.com; mail.lycos.com;
      yahoo.com

Here you can find examples of generated addresses:
   • frank &ltfrank_2000@care2.com>
   • jerry lopez &ltjerry.lopez@goowy.com>
   • jerry robyn &ltjerryjbwax@mail.lycos.com>

 Backdoor Contact server:
The following:
   • http://gadesunheranwui.com/cgi-bin/**********

As a result it may send some information. This is done via the HTTP POST method using a CGI script.


Sends information about:
    • Current malware status

 Injection –  It injects the following file into a process: %WINDIR%\rsmb32.dll

    All of the following processes:
   • %all processes started after malware is active in memory%
   • Explorer.EXE


 Rootkit Technology It is a malware-specific technology. The malware hides its presence from system utilities, security applications and in the end, from the user.


Hides the following:
– Its own process

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Ionut Slaveanu on Thursday, September 21, 2006
Description updated by Ionut Slaveanu on Thursday, September 21, 2006

Back . . . .