Need help? Ask the community or hire an expert.
Go to Avira Answers
Date discovered:24/08/2006
In the wild:No
Reported Infections:Low
Distribution Potential:Medium
Damage Potential:Medium
Static file:Yes
File size:86.048 Bytes
MD5 checksum:f973b4c2739d8344d1eb2b7185f55ab0
VDF version:
IVDF version: - Friday, August 25, 2006

 General Method of propagation:
   • Email

   •  Mcafee: W32/Stration@MM
   •  Kaspersky: Trojan-Downloader.Win32.Agent.atq
   •  F-Secure: Trojan-Downloader.Win32.Agent.atq
   •  Sophos: W32/Stration-E
   •  VirusBuster: Trojan.Opnis.AA
   •  Eset: Win32/Stration.C
   •  Bitdefender: Win32.HLLW.Stration.A

Platforms / OS:
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Downloads a malicious file
   • Uses its own Email engine

Right after execution it runs a windows application which will display the following window:

 Files It copies itself to the following location:
   • %WINDIR%\svchost32.exe

The following files are created:

– Non malicious file:
   • %WINDIR%\svchost32.xml

%malware execution directory%\%hex number%.tmp This is a non malicious text file with the following content:
   • %random character string%

It tries to download a file:

– The location is the following:
It is saved on the local hard drive under: %TEMPDIR%\~%hex number%.tmp Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too.

 Registry The following registry key is changed:

– HKLM\SYSTEM\CurrentControlSet\Control\Session Manager
   New value:
   • "PendingFileRenameOperations"="\??\%WINDIR%\svchost32.exe"

 Email It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:

The sender address is spoofed.
Generated addresses. Please do not assume that it was the sender's intention to send this email to you. He might not know about his infection or might not even be infected at all. Furthermore it is possible that you will receive bounced emails telling you that you are infected. This might also not be the case.

– Email addresses found in specific files on the system.
– Generated addresses

One of the following:
   • Error
   • Good day
   • hello
   • Mail Delivery System
   • Mail Transaction Failed
   • picture
   • Server Report
   • Status
   • test

The body of the email is one of the lines:
   • The message cannot be represented in 7-bit ASCII encodingand has been sent as a binary attachment
   • The message contains Unicode characters and has been sentas a binary attachment.
   • Mail transaction failed. Partial message is available.

The filenames of the attachments is constructed out of the following:

–  It starts with one of the following:
   • body
   • data
   • doc
   • docs
   • document
   • file
   • message
   • readme
   • test
   • text

    Continued by one of the following fake extensions:
   • dat
   • elm
   • log
   • msg
   • txt

    The file extension is one of the following:
   • bat
   • cmd
   • exe
   • pif
   • scr

Here are a few examples of how the filename of the attachment might look like:
   • message.msg.exe
   • docs.txt.cmd
   • test.log.bat

The attachment is a copy of the malware itself.

 Mailing Search addresses:
It searches the following files for email addresses:
   • xml; xls; wsh; wab; uin; txt; tbb; stm; shtm; sht; php; oft; ods; nch;
      msg; mmf; mht; mdx; mbx; jsp; html; htm; eml; dhtm; dbx; cgi; cfg;
      asp; adb

 Backdoor Contact server:
The following:

As a result it may send some information. This is done via the HTTP POST method using a CGI script.

 File details Programming language:
The malware program was written in MS Visual C++.

Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • MEW 11

Description inserted by Teodor Onisor on Tuesday, August 29, 2006
Description updated by Teodor Onisor on Thursday, September 14, 2006

Back . . . .