Virus:TR/Dldr.Stration.C.2
Date discovered:20/10/2006
Type:Trojan
Subtype:Downloader
In the wild:Yes
Reported Infections:Medium to high
Distribution Potential:Low
Damage Potential:Low to medium
Static file:No
File size:11.780 Bytes
VDF version:6.36.00.138
IVDF version:6.36.00.155 - Tuesday, October 24, 2006

 General Method of propagation:
   • Email


Aliases:
   •  Mcafee: W32/Stration.dr
   •  Sophos: W32/Stratio-AY
   •  VirusBuster: Trojan.DL.Agent.QLY


Platforms / OS:
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads a malicious file
   • Drops a file


Right after execution the following information is displayed:



Right after execution it runs a windows application which will display the following window:

The picture has been edited for display purpose.

 Files  It copies itself to the following location. This file has random bytes appended so it may differ from the original one:
   • %SYSDIR%\%10 digit random character string% .exe



The following file is created:

%malware execution directory%\%hex number%.tmp This is a non malicious text file with the following content:
   • %random character string%




It tries to download a file:

– The location is the following:
   • http://www6.hertionkadesinpoion.com/chr/821/**********
It is saved on the local hard drive under: %TEMPDIR%\~%hex number%.tmp Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: Worm/Stration.C

 Email It doesn't have its own spreading routine but it was spammed out via email. The characteristics are described in the following:


From:
The sender address is spoofed.


Email design:
 


Subject: Mail server report.
Body:
   • Mail server report.
     
     Our firewall determined the e-mails containing worm copies are being sent from your computer.
     
     Nowadays it happens from many computers, because this is a new virus type (Network Worms).
     
     
     Using the new bug in the Windows, these viruses infect the computer unnoticeably.
     After the penetrating into the computer the virus harvests all the e-mail addresses and sends the copies of itself to these e-mail
     addresses
     
     Please install updates for worm elimination and your computer restoring.
     
     Best regards,
     Customers support service
Attachment:
   • Update-KB%number%-x86.exe


Subject:
One of the following:
   • Error
   • Good day
   • hello
   • Mail Delivery System
   • Mail Transaction Failed
   • picture
   • Server Report
   • Status
   • test



Body:
The body of the email is one of the lines:
   • Mail transaction failed. Partial message is available.
   • The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment
   • The message contains Unicode characters and has been sent as a binary attachment


Attachment:
The filename of the attachment is constructed out of the following:

–  It starts with one of the following:
   • body
   • data
   • doc
   • docs
   • document
   • file
   • message
   • readme
   • test
   • text

Sometimes continued by one of the following:
   • dat
   • elm
   • log
   • msg
   • txt

    The file extension is one of the following:
   • bat
   • cmd
   • exe
   • pif
   • scr

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • UPX

Description inserted by Andrei Ivanes on Friday, October 20, 2006
Description updated by Oliver Auerbach on Sunday, October 22, 2006

Back . . . .