Virus:TR/Drop.Stration.E
Date discovered:07/11/2006
Type:Trojan
Subtype:Dropper
In the wild:Yes
Reported Infections:High
Distribution Potential:Low
Damage Potential:Low to medium
Static file:No
File size:~32.000 Bytes
VDF version:6.36.00.220
IVDF version:6.36.00.244 - Tuesday, November 7, 2006

 General Method of propagation:
   • No own spreading routine


Alias:

It was previously detected as:
   •  TR/Dlrd.Stration.E


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops a malicious file

 Files The following file is created:

%SYSDIR%\%random character string%.exe Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: TR/Dldr.Stration.C

 Email It doesn't have its own spreading routine but it was spammed out via email. The characteristics are described in the following:


Subject:
One of the following:
   • Error
   • Good day
   • hello
   • Mail delivery Error
   • Mail Delivery System
   • Mail Transaction Failed
   • picture
   • Server Report
   • Status
   • test



Body:
The body of the email is one of the following:

   • The message contains Unicode characters and has been sent
     as a binary attachment.

   • The message cannot be represented in 7-bit ASCII encoding
     and has been sent as a binary attachment

   • The received letter contained some errors. It is delivered as an attachment.
      ------
     Mail server note

   • Mail transaction failed. Partial message is available.


Attachment:
The filename of the attachment is constructed out of the following:

–  It starts with one of the following:
   • attach
   • body
   • data
   • doc
   • docs
   • document
   • file
   • message
   • readme
   • test
   • text

Sometimes continued by one of the following:
   • %number%

    Sometimes continued by one of the following fake extensions:
   • .txt
   • dat
   • elm
   • log
   • msg
   • txt

    The file extension is one of the following:
   • %empty spaces% .exe
   • bat
   • cmd
   • exe
   • pif
   • scr
   • zip



Here are a few examples of how the filename of the attachment might look like:
   • attach1015..txt. exe
   • document.dat.cmd
   • file.zip



The email may look like one of the following:



 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Andrei Gherman on Tuesday, November 7, 2006
Description updated by Andrei Gherman on Tuesday, November 7, 2006

Back . . . .