Virus:Worm/Stration.G
Date discovered:22/11/2006
Type:Worm
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Medium
Damage Potential:Low to medium
Static file:No
File size:~110.000 Bytes
VDF version:6.36.01.66
IVDF version:6.36.01.70 - Wednesday, November 22, 2006

 General Method of propagation:
   • Email


Aliases:
   •  Kaspersky: Email-Worm.Win32.Warezov.gl
   •  F-Secure: Email-Worm.Win32.Warezov.gl
   •  Grisoft: I-Worm/Stration.BCF
   •  Bitdefender: Win32.ExplorerHijack


Platforms / OS:
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads a malicious file
   • Drops files
   • Drops a malicious file
   • Uses its own Email engine
   • Registry modification
   • Steals information

 Files It copies itself to the following location:
   • %WINDIR%\cservv32.exe



The following files are created:

– Non malicious file:
   • %WINDIR%\cservv32.dat

– A file that contains collected email addresses:
   • %WINDIR%\cservv32.wax

%SYSDIR%\e1.dll Further investigation pointed out that this file is malware, too.



It tries to download a file:

– The location is the following:
   • www4.rasetikuinyunhderunsa.com/chr/863/**********
It is saved on the local hard drive under: %TEMPDIR%\~%hex number%.tmp Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too.

 Registry The following registry key is added in order to run the process after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "cservv32"="%WINDIR%\cservv32.exe s"



The following registry key is changed:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
   Old value:
   • "AppInit_DLLs"=""
   New value:
   • "AppInit_DLLs"="e1.dll"

 Email It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:


From:
The sender address is spoofed.


To:
– Email addresses found in specific files on the system.
– Email addresses gathered from WAB (Windows Address Book)
– Generated addresses


Email design:
Subject: Mail server report.
Body:
   • Mail server report.
     Our firewall determined the e-mails containing worm copies are being sent from your computer.
     Nowadays it happens from many computers, because this is a new virus type (Network Worms).
     Using the new bug in the Windows, these viruses infect the computer unnoticeably.
     After the penetrating into the computer the virus harvests all the e-mail addresses and sends the copies of itself to these e-mail
     addresses
     Please install updates for worm elimination and your computer restoring.
     Best regards,
     Customers support service
Attachment:
   • Update-KB%number%-x86.zip
Subject: Mail server report.
Body:
   • Mail server report.
     Our firewall determined the e-mails containing worm copies are being sent from your computer.
     Nowadays it happens from many computers, because this is a new virus type (Network Worms).
     Using the new bug in the Windows, these viruses infect the computer unnoticeably.
     After the penetrating into the computer the virus harvests all the e-mail addresses and sends the copies of itself to these e-mail
     addresses
     Please install updates for worm elimination and your computer restoring.
     Best regards,
     Customers support service
Attachment:
   • Update-KB%number%-x86.exe


Subject:
One of the following:
   • Error
   • Good day
   • hello
   • Mail Delivery System
   • Mail server report.
   • Mail Transaction Failed
   • picture
   • Server Report
   • Status
   • test



Body:
The body of the email is one of the lines:
   • The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment
   • Mail transaction failed. Partial message is available.
   • The message contains Unicode characters and has been sent as a binary attachment.


Attachment:
The contents of the file is not a copy of itself but another malware. A description can be found here: TR/Dldr.Stration.G

The filenames of the attachments is constructed out of the following:

   • body
   • data
   • doc
   • docs
   • document
   • file
   • message
   • readme
   • test
   • text

    Sometimes continued by one of the following fake extensions:
   • dat
   • txt
   • elm
   • log
   • msg

    The file extension is one of the following:
   • bat
   • cmd
   • exe
   • pif
   • cmd
   • zip



The email may look like one of the following:




 Mailing  Address generation for FROM field:
To generate addresses it uses the following strings:
   • sec
   • secur
   • serv

It combines the result with domains that were found in files, which were previously searched for addresses.

 Backdoor Contact server:
All of the following:
   • www3.rasetikuinyunhderunsa.com:80/cgi-bin/**********
   • www2.rasetikuinyunhderunsa.com:8082/**********

As a result it may send some information.

Sends information about:
    • Collected Email addresses

 File details Programming language:
 The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • UPX

Description inserted by Adriana Popa on Wednesday, November 22, 2006
Description updated by Adriana Popa on Thursday, November 23, 2006

Back . . . .