Virus:TR/Dldr.Stration.F
Date discovered:20/11/2006
Type:Trojan
Subtype:Downloader
In the wild:Yes
Reported Infections:High
Distribution Potential:Low
Damage Potential:Low to medium
Static file:No
File size:~32.000 Bytes
VDF version:6.36.01.54
IVDF version:6.36.01.57 - Monday, November 20, 2006

 General Method of propagation:
   • No own spreading routine


Alias:
   •  Kaspersky: Email-Worm.Win32.Warezov.ev
   •  F-Secure: Email-Worm.Win32.Warezov.ev


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads a malicious file


Right after execution the following information is displayed:



Right after execution it runs a windows application which will display the following window:


 Files It copies itself to the following location:
   • %SYSDIR%\%random character string%.exe



The following file is created:

– Non malicious file:
   • %malware execution directory%\%random character string%.tmp




It tries to download a file:

– The location is the following:
   • http://www6.rasetikuinyunhderunsa.com/859/**********
It is saved on the local hard drive under: %TEMPDIR%\~%number%.tmp Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: Worm/Stration.F

 Email It doesn't have its own spreading routine but it was spammed out via email. The characteristics are described in the following:


From:
The sender address is spoofed.


Email design:
 


From: sec@%recipient's domain%
Subject: Mail server report.
Body:
   • Mail server report.
     Our firewall determined the e-mails containing worm copies are being sent from your computer.
     Nowadays it happens from many computers, because this is a new virus type (Network Worms).
     Using the new bug in the Windows, these viruses infect the computer unnoticeably.
     After the penetrating into the computer the virus harvests all the e-mail addresses and sends the copies of itself to these e-mail addresses
     Please install updates for worm elimination and your computer restoring.
     Best regards,
     Customers support service
Attachments:
   • Update-KB%number%-x86.exe
   • Update-KB%number%-x86.zip
 


From: secur@%recipient's domain%
Subject: Mail server report.
Body:
   • Mail server report.
     Our firewall determined the e-mails containing worm copies are being sent from your computer.
     Nowadays it happens from many computers, because this is a new virus type (Network Worms).
     Using the new bug in the Windows, these viruses infect the computer unnoticeably.
     After the penetrating into the computer the virus harvests all the e-mail addresses and sends the copies of itself to these e-mail addresses
     Please install updates for worm elimination and your computer restoring.
     Best regards,
     Customers support service
Attachments:
   • Update-KB%number%-x86.exe
   • Update-KB%number%-x86.zip
 


From: serv@%recipient's domain%
Subject: Mail server report.
Body:
   • Mail server report.
     Our firewall determined the e-mails containing worm copies are being sent from your computer.
     Nowadays it happens from many computers, because this is a new virus type (Network Worms).
     Using the new bug in the Windows, these viruses infect the computer unnoticeably.
     After the penetrating into the computer the virus harvests all the e-mail addresses and sends the copies of itself to these e-mail addresses
     Please install updates for worm elimination and your computer restoring.
     Best regards,
     Customers support service
Attachments:
   • Update-KB%number%-x86.exe
   • Update-KB%number%-x86.zip


Subject:
One of the following:
   • Error
   • Good day
   • hello
   • Mail Delivery System
   • Mail Transaction Failed
   • picture
   • Server Report
   • Status
   • test



Body:
The body of the email is one of the lines:
   • Mail transaction failed. Partial message is available.
   • The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment
   • The message contains Unicode characters and has been sent as a binary attachment


Attachment:
The filename of the attachment is constructed out of the following:

–  It starts with one of the following:
   • body
   • data
   • doc
   • docs
   • document
   • file
   • message
   • readme
   • test
   • text

    Sometimes continued by one of the following fake extensions:
   • dat
   • elm
   • log
   • msg
   • txt

    The file extension is one of the following:
   • bat
   • cmd
   • exe
   • pif
   • scr
   • zip



The email may look like one of the following:




 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Andrei Gherman on Monday, November 20, 2006
Description updated by Andrei Gherman on Monday, November 20, 2006

Back . . . .
 
 
 
 

© 2013 Avira Operations GmbH & Co. KG. All rights reserved.

My Account

https:// This window is encrypted for your security.