Virus:Worm/Warezov.I.1
Date discovered:08/09/2006
Type:Worm
In the wild:No
Reported Infections:Low
Distribution Potential:Medium
Damage Potential:Low
Static file:Yes
File size:86.889 Bytes
MD5 checksum:8420a6819eeb4092039eb4cf88764b3e
VDF version:6.35.01.196
IVDF version:6.35.01.200 - Friday, September 8, 2006

 General Method of propagation:
   • Email


Aliases:
   •  Mcafee: W32/Stration@MM
   •  TrendMicro: WORM_STRATION.AD
   •  Sophos: W32/Strati-Gen
   •  VirusBuster: trojan Trojan.Opnis.AC
   •  Bitdefender: BehavesLike:Trojan.Downloader


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


It displays the content of a created pictorial file:


 Files It copies itself to the following location:
   • %WINDIR%\svchost32.exe



The following file is created:

%malware execution directory%\%random character string%.tmp



It tries to download a file:

– The location is the following:
   • http://gadesunheranwui.com/chr/jjjk/**********
It is saved on the local hard drive under: %TEMPDIR%\~%two-digit random character string%.exe Furthermore this file gets executed after it was fully downloaded. At the time of writing this file was not online for further investigation.

 Registry The following registry key is added:

– [HKLM\SYSTEM\CurrentControlSet\Control\Session Manager]
   • "PendingFileRenameOperations"="\??\%WINDIR%\svchost32.exe"

 Email It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:


From:
The sender address is spoofed.


To:
– Email addresses found in specific files on the system.


Subject:
One of the following:
   • Error
   • Good day
   • hello
   • Mail Delivery System
   • Mail Transaction Failed
   • picture
   • Server Report
   • Status
   • test



Body:
–  In some cases it may be empty.
–  The body contains random characters.

 
The body of the email is one of the lines:
   • Mail transaction failed. Partial messageis available.
   • The message contains Unicode characters and has been sentas a binary attachment.
   • The message cannot be represented in 7-bit ASCII encodingand has been sent as a binary attachment.


Attachment:

–  Random string
   • body
   • data
   • doc
   • docs
   • document
   • file
   • message
   • readme
   • test
   • text

    Continued by one of the following fake extensions:
   • dat
   • elm
   • log
   • msg
   • txt

    The file extension is one of the following:
   • scr
   • exe
   • bat
   • pif
   • cmd

The attachment is a copy of the malware itself.



The email may look like one of the following:



 Mailing Search addresses:
It searches the following files for email addresses:
   • xml; xls; wsh; wab; uin; txt; tbb; stm; shtm; sht; php; oft; ods; nch;
      msg; mmf; mht; mdx; mbx; jsp; html; htm; eml; dhtm; dbx; cgi; cfg;
      asp; adb

 File details Programming language:
 The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • MEW

Description inserted by Gabriel Mustata on Monday, October 16, 2006
Description updated by Andrei Gherman on Tuesday, November 21, 2006

Back . . . .