Find a Partner
This window is encrypted for your security.
Need help? Ask the community or hire an expert.
Go to Avira Answers
In the wild:
- Wednesday, August 30, 2006
Method of propagation:
• Symantec: W32/Stration@MM
• Kaspersky: Email-Worm.Win32.Warezov.h
• TrendMicro: WORM_STRATION.AY
• VirusBuster: Trojan.Opnis.AH
• Eset: Win32/Stration.N
• Bitdefender: Win32.Worm.Stration.C
Platforms / OS:
• Windows 95
• Windows 98
• Windows 98 SE
• Windows NT
• Windows ME
• Windows 2000
• Windows XP
• Windows 2003
• Downloads a file
• Drops a file
• Drops a malicious file
• Uses its own Email engine
• Registry modification
Right after execution the following information is displayed:
It copies itself to the following location:
The following files are created:
– A file that contains collected email addresses:
%malware execution directory%
%two-digit random character string%
\rsmb.dll Used to hide a process. Detected as: Worm/Warezov.C
It tries to download a file:
– The location is the following:
At the time of writing this file was not online for further investigation.
The following registry key is added in order to run the process after reboot:
It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:
The sender address is spoofed.
– Email addresses found in specific files on the system.
– Email addresses gathered from WAB (Windows Address Book)
One of the following:
• Good day
• Mail Delivery System
• Mail Transaction Failed
The body of the email is one of the lines:
• The message contains Unicode characters and has been sentas a binary attachment.
• The message cannot be represented in 7-bit ASCII encodingand has been sent as a binary attachment
• Mail transaction failed. Partial message is available.
The filename of the attachment is constructed out of the following:
– It starts with one of the following:
Continued by one of the following fake extensions:
The file extension is one of the following:
The attachment is a copy of the malware itself.
The email looks like the following:
It searches the following files for email addresses:
• xml; xls; wsh; wab; uin; txt; tbb; stm; shtm; sht; php; oft; ods; nch;
msg; mmf; mht; mdx; mbx; jsp; html; htm; eml; dhtm; dbx; cgi; cfg;
The malware program was written in MS Visual C++.
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
Description inserted by Irina Boldea on Thursday, October 12, 2006
Description updated by Irina Boldea on Thursday, October 19, 2006