Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:TR/Drop.Stration.677
Date discovered:26/10/2006
Type:Trojan
Subtype:Dropper
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low to medium
Static file:Yes
File size:109.100 Bytes
MD5 checksum:41b787a3275255e4e17360ba59cdc763
VDF version:6.36.01.60
IVDF version:6.36.01.63 - Tuesday, November 21, 2006

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Mcafee: W32/Stration@MM
   •  Kaspersky: Email-Worm.Win32.Warezov.dq
   •  Sophos: W32/Stratio-BW
   •  Eset: Win32/Stration.KQ

It was previously detected as:
     TR/Hijack.Explor.677


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops malicious files
   • Registry modification

 Files The following files are created:

%SYSDIR%\audmgr32.dll Further investigation pointed out that this file is malware, too. Detected as: WORM/Warezov.DQ

%SYSDIR%\audconf.exe Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: WORM/Warezov.DQ.2

%SYSDIR%\audperf.exe Further investigation pointed out that this file is malware, too. Detected as: WORM/Warezov.DQ.10

%SYSDIR%\audprf32.dll Further investigation pointed out that this file is malware, too. Detected as: WORM/Warezov.DQ.3

%SYSDIR%\audstat.dll Further investigation pointed out that this file is malware, too. Detected as: WORM/Warezov.DQ.6

%SYSDIR%\confaud.dll Further investigation pointed out that this file is malware, too. Detected as: WORM/Warezov.DQ.1

 Registry The following registry key is added:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
   audmgr]
   • "Asynchronous"=dword:00000000
   • "DllName"="audmgr32.dll"
   • "Impersonate"=dword:00000000
   • "Startup"="WlxStartup"
   • "Shutdown"="WlxShutdown"



The following registry key is changed:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
   Old value:
   • "AppInit_DLLs"=""
   New value:
   • "AppInit_DLLs"=" confaud.dll audstat.dll"

 File details Programming language:
The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • MEW

Description inserted by Monica Ghitun on Thursday, October 26, 2006
Description updated by Adriana Popa on Tuesday, November 21, 2006

Back . . . .