Nume:TR/Dldr.Stration.F
Descoperit pe data de:20/11/2006
Tip:Troian
Subtip:Downloader
ITW:Da
Numar infectii raportate:Ridicat
Potential de raspandire:Scazut
Potential de distrugere:Scazut spre mediu
Fisier static:Nu
Marime:~32.000 Bytes
Versiune VDF:6.36.01.54
Versiune IVDF:6.36.01.57 - lundi 20 novembre 2006

 General Metoda de raspandire:
   • Nu are rutina proprie de raspandire


Alias:
   •  Kaspersky: Email-Worm.Win32.Warezov.ev
   •  F-Secure: Email-Worm.Win32.Warezov.ev


Sistem de operare:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Efecte secundare:
   • Descarca un fisier malware


Imediat dupa lansarea in executie, pe ecran este afisat:



Dupa activare, ruleaza un program Windows care afiseaza urmatoarea fereastra:


 Fisiere Se copiaza in urmatoarea locatie:
   • %SYSDIR%\%combinatie de caractere aleatoare%.exe



Este creat fisierul:

– Fisier inofensiv:
   • %directorul de activare malware%\%combinatie de caractere
      aleatoare%.tmp




Incearca sa descarce un fisier:

– Adresa este urmatoarea:
   • http://www6.rasetikuinyunhderunsa.com/859/**********
Fisierul este stocat pe hard disc la: %TEMPDIR%\~%numar%.tmp In plus, acest fisier este executat dupa ce este descarcat de pe Internet. Analiza ulterioara a relevat ca si acest fisier este malware. Detectat ca: Worm/Stration.F

 Email Nu are rutina proprie de propagare, dar a fost raspandit prin e-mail. Iata caracteristicile lui:


De la:
Adresa este falsificata.


Formatul email-ului:
 


De la: sec@%domeniul destinatarului%
Subiect: Mail server report.
Corp mesaj:
   • Mail server report.
     Our firewall determined the e-mails containing worm copies are being sent from your computer.
     Nowadays it happens from many computers, because this is a new virus type (Network Worms).
     Using the new bug in the Windows, these viruses infect the computer unnoticeably.
     After the penetrating into the computer the virus harvests all the e-mail addresses and sends the copies of itself to these e-mail addresses
     Please install updates for worm elimination and your computer restoring.
     Best regards,
     Customers support service
Atasamente:
   • Update-KB%numar%-x86.exe
   • Update-KB%numar%-x86.zip
 


De la: secur@%domeniul destinatarului%
Subiect: Mail server report.
Corp mesaj:
   • Mail server report.
     Our firewall determined the e-mails containing worm copies are being sent from your computer.
     Nowadays it happens from many computers, because this is a new virus type (Network Worms).
     Using the new bug in the Windows, these viruses infect the computer unnoticeably.
     After the penetrating into the computer the virus harvests all the e-mail addresses and sends the copies of itself to these e-mail addresses
     Please install updates for worm elimination and your computer restoring.
     Best regards,
     Customers support service
Atasamente:
   • Update-KB%numar%-x86.exe
   • Update-KB%numar%-x86.zip
 


De la: serv@%domeniul destinatarului%
Subiect: Mail server report.
Corp mesaj:
   • Mail server report.
     Our firewall determined the e-mails containing worm copies are being sent from your computer.
     Nowadays it happens from many computers, because this is a new virus type (Network Worms).
     Using the new bug in the Windows, these viruses infect the computer unnoticeably.
     After the penetrating into the computer the virus harvests all the e-mail addresses and sends the copies of itself to these e-mail addresses
     Please install updates for worm elimination and your computer restoring.
     Best regards,
     Customers support service
Atasamente:
   • Update-KB%numar%-x86.exe
   • Update-KB%numar%-x86.zip


Subiect:
Unul din urmatoarele:
   • Error
   • Good day
   • hello
   • Mail Delivery System
   • Mail Transaction Failed
   • picture
   • Server Report
   • Status
   • test



Corpul email-ului:
Corpul email-ului este unul din textele:
   • Mail transaction failed. Partial message is available.
   • The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment
   • The message contains Unicode characters and has been sent as a binary attachment


Atasament:
Numele fisierului atasat este alcatuit dupa cum urmeaza:

–  Incepe cu unul din urmatoarele:
   • body
   • data
   • doc
   • docs
   • document
   • file
   • message
   • readme
   • test
   • text

    Urmat uneori de una din urmatoarele extensii false:
   • dat
   • elm
   • log
   • msg
   • txt

    Extensia fisierului este una din urmatoarele:
   • bat
   • cmd
   • exe
   • pif
   • scr
   • zip



Email-ul poate arata ca unul din urmatoarele:




 Detaliile fisierului Compresia fisierului:
Pentru a ingreuna detectia si a reduce marimea fisierului, este folosit un program de compresie runtime.

Description insérée par Andrei Gherman le lundi 20 novembre 2006
Description mise à jour par Andrei Gherman le lundi 20 novembre 2006

Retour . . . .