Nume:TR/Dldr.Stration.C
Descoperit pe data de:19/10/2006
Tip:Troian
Subtip:Downloader
ITW:Da
Numar infectii raportate:Mediu spre ridicat
Potential de raspandire:Scazut
Potential de distrugere:Scazut spre mediu
Fisier static:Nu
Marime:~30.000 Bytes
Versiune VDF:6.36.00.129
Versiune IVDF:6.36.00.146 - samedi 21 octobre 2006
Euristica:HEUR/Crypted

 General Metoda de raspandire:
   • Nu are rutina proprie de raspandire


Alias:
   •  Mcafee: W32/Stration.dr
   •  Kaspersky: Email-Worm.Win32.Warezov.dc
   •  Sophos: W32/Stratio-AW
   •  VirusBuster: Trojan.Opnis.EM
   •  Bitdefender: Trojan.Downloader.AOW

Initial identificat ca:
   •  Worm/Marmota.B


Sistem de operare:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Efecte secundare:
   • Descarca un fisier malware


Imediat dupa lansarea in executie, pe ecran este afisat:



Dupa activare, ruleaza un program Windows care afiseaza urmatoarea fereastra:


 Fisiere Se copiaza in urmatoarea locatie:
   • %SYSDIR%\%combinatie de caractere aleatoare%.exe



Este creat fisierul:

– Fisier inofensiv:
   • %directorul de activare malware%\%combinatie de caractere
      aleatoare%.tmp




Incearca sa descarce un fisier:

– Adresa este urmatoarea:
   • http://www6.vedasetionkderun.com/819/**********
Fisierul este stocat pe hard disc la: %TEMPDIR%\~%numar%.tmp In plus, acest fisier este executat dupa ce este descarcat de pe Internet. Analiza ulterioara a relevat ca si acest fisier este malware. Detectat ca: Worm/Stration.C

 Email Nu are rutina proprie de propagare, dar a fost raspandit prin e-mail. Iata caracteristicile lui:


De la:
Adresa este falsificata.


Formatul email-ului:
 


De la: sec@%domeniul destinatarului%
Subiect: Mail server report.
Corp mesaj:
   • Mail server report.
     Our firewall determined the e-mails containing worm copies are being sent from your computer.
     Nowadays it happens from many computers, because this is a new virus type (Network Worms).
     Using the new bug in the Windows, these viruses infect the computer unnoticeably.
     After the penetrating into the computer the virus harvests all the e-mail addresses and sends the copies of itself to these e-mail addresses
     Please install updates for worm elimination and your computer restoring.
     Best regards,
     Customers support service
Atasamente:
   • Update-KB%numar%-x86.exe
   • Update-KB%numar%-x86.zip
 


De la: secur@%domeniul destinatarului%
Subiect: Mail server report.
Corp mesaj:
   • Mail server report.
     Our firewall determined the e-mails containing worm copies are being sent from your computer.
     Nowadays it happens from many computers, because this is a new virus type (Network Worms).
     Using the new bug in the Windows, these viruses infect the computer unnoticeably.
     After the penetrating into the computer the virus harvests all the e-mail addresses and sends the copies of itself to these e-mail addresses
     Please install updates for worm elimination and your computer restoring.
     Best regards,
     Customers support service
Atasamente:
   • Update-KB%numar%-x86.exe
   • Update-KB%numar%-x86.zip
 


De la: serv@%domeniul destinatarului%
Subiect: Mail server report.
Corp mesaj:
   • Mail server report.
     Our firewall determined the e-mails containing worm copies are being sent from your computer.
     Nowadays it happens from many computers, because this is a new virus type (Network Worms).
     Using the new bug in the Windows, these viruses infect the computer unnoticeably.
     After the penetrating into the computer the virus harvests all the e-mail addresses and sends the copies of itself to these e-mail addresses
     Please install updates for worm elimination and your computer restoring.
     Best regards,
     Customers support service
Atasamente:
   • Update-KB%numar%-x86.exe
   • Update-KB%numar%-x86.zip


Subiect:
Unul din urmatoarele:
   • Error
   • Good day
   • hello
   • Mail Delivery System
   • Mail Transaction Failed
   • picture
   • Server Report
   • Status
   • test



Corpul email-ului:
Corpul email-ului este unul din textele:
   • Mail transaction failed. Partial message is available.
   • The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment
   • The message contains Unicode characters and has been sent as a binary attachment


Atasament:
Numele fisierului atasat este alcatuit dupa cum urmeaza:

–  Incepe cu unul din urmatoarele:
   • body
   • data
   • doc
   • docs
   • document
   • file
   • message
   • readme
   • test
   • text

    Urmat uneori de una din urmatoarele extensii false:
   • dat
   • elm
   • log
   • msg
   • txt

    Extensia fisierului este una din urmatoarele:
   • bat
   • cmd
   • exe
   • pif
   • scr
   • zip



Email-ul poate arata ca unul din urmatoarele:




 Detaliile fisierului Compresia fisierului:
Pentru a ingreuna detectia si a reduce marimea fisierului, este folosit un program de compresie runtime.

Description insérée par Alexander Vukcevic le jeudi 19 octobre 2006
Description mise à jour par Andrei Gherman le vendredi 20 octobre 2006

Retour . . . .