Stration Worm
Original issue date: September 30, 2006
Updated on: December 01, 2006
It has been observed that several variants of Stration worm are spreading in the wild. Some of the variants are WORM_STRATIO.MY, WORM_STRATIO.QW, WORM_STRATIO.QL, WORM_STRATIO.QD, WORM_STRATION.WO (aliases AntiVir Worm/Stration.C, BitDefender Win32.Warezov.AT@mm, ClamAV Worm.Stration.CQ, Command W32/Warezov.AU, Dr Web Win32.HLLM.Limar.based, eSafe Win32.Stration.wo, eTrust-INO Win32/Stration.Variant!Worm, eTrust-INO (BETA) Win32/Stration.Variant!Worm, F-Prot W32/Warezov.AU, McAfee(BETA) W32/Stration@MM.dr, Nod32 Win32/Stration.EB worm, Panda(BETA) W32/Spamta.CY.worm, Sophos W32/Stratio-AN, Symantec(BETA) W32.Stration@mm, VirusBuster Trojan.Opnis.Gen!Pac2, WebWasher Worm.Stration.C), WORM_STRATION.BB, WORM_STRATION.AZ, WORM_STRATION.BH, WORM_STRATION.F, WORM_STRATION.A
The Stration worm is a mass mailing worm propagates by sending its copies in the attachment to email messages using their own SMTP engine. The worm obtain email addresses to send mail from Windows Address Book. Some variants are capable of sending emails without using any application such as Microsoft Outlook.
The worm uses double extension name for the attachment to trick user into thinking that it's a non malicious file.
The worm drops component files into system folder and set its attribute to hidden to avoid easy detection. It also drops non malicious files in the current folder (location from where it executes) and opens these files containing garbage code in notepad to hide its malicious routine. It drops its copies in the Windows temporary folder with double extensions.
Some of its variants modify the HOST file of the affected system to block access to certain websites.
The worm looks for the active internet connection and access several websites and download malicious files.
Activities of Stration worm after execution:
- drops a copy of itself in the Windows folder such as: SVCHOST32.EXE, RSMB.EXE, tsrv.exe, T2SERV.EXE, CHKMFDEP.EXE, IPXRMFC4.DLL, RCBDWMPD.DLL, t2serv.dll These files are detected as stration worm files.
Also drops randomly named non-malicious file in the current folder such as: SVCHOST32.XML, t2serv.s , t2serv.wax
- drops the component files such as:
- CMUT449C14B7.DLL
- HPZl449C14B7.EXE
- MSJI449C14B7.DLL
- RSMB.DLL
- e1.dll
- iaspdpus.dll
- ir32racp.exe
- lmrtatkc.dll
- injects the files into certain running processes to remain memory-resident on the system such as:
- E1.DLL
- FILESERV.DLL
- MSJI449C14B7.DLL
- RCBDWMPD.DLL
- QDVTSCF.DLL
- some variants display the message “ Update Successfully installed”.
- creates the registry entry to ensure its automatic execution at every Windows startup such as: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Windows
AppInit_DLLs = "{One space}MSJI449C14B7.DLL"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
t2serv = "%Windows%\t2serv.exe s"
Some variants modifies the registry entry as part of its auto start technique such as:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Windows
AppInit_DLLs = "qdvtscf.dll e1.dll"
- Gathers email from Windows Address Book(WAB).
- Uses its own SMTP engine to send email messages to any addresses found.
- The email message constructed by the worm contains the subject such as:
- {no subject}
- {random}
- Error
- Good day
- hello
- Mail Delivery System
- Server Report
- Status
- Mail transaction failed
- picture
- The email message constructed by the worm contains the attachment such as:
- body
- data
- doc
- docs
- document
- file
- message
- readme
- test
- tex
- Update-KB{random numbers}-x86
- attachments contain the double extensions:
( with any of the following as first extension )
(with any of the following as second extension )
- Attempts to download an updated malicious files from the following URLs:
- http://www2.verti{BLOCKED}daseliplim.co/cgi-bin/a.cgi
- http://www3.verti{BLOCKED}daseliplim.com/cgi-bin/a.cgi
- http://www3.verti{BLOCKED}daseliplim.com/chr/
grv/lt.exe
- http://www3.verti{BLOCKED}daseliplim.com/chr/
grv2/nt.exe
- http://www4.verti{BLOCKED}daseliplim.com/chr/
grv/lt.exe
- http://www6.verti{BLOCKED}daseliplim.com/chr/
grv2/nt.exe
- www4.{BLOCKED}tionkdaseliplim.com
- www6.{BLOCKED}tionkdaseliplim.com
- http://www4.vert{BLOCKED}kdaseliplim.com/chr/
grv/lt.exe
- http://www6.vert{BLOCKED}kdaseliplim.com/chr/
grv/nt.exe
- Some variants modifies the system's HOSTS file, which contains host name to IP address mappings. It is usually located in the %System%\drivers\etc folder.
The said routine is done so that user could not access the sites related to antivirus companies.
Users are advised to implement the following countermeasures:
- Keep update Anti-Virus Signatures.
- Apply appropriate security updates at the OS level and applications such as web browsers.
- Keep updated Anti-Spywares.
Common Malware Enumeration CME ID : CME-416
References:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName
=WORM%5FSTRATIO%2EMY&VSect=T
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName
=WORM%5FSTRATIO%2EQL&VSect=T
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName
=WORM%5FSTRATION%2EA&VSect=T
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName
=WORM%5FSTRATION%2EBB&VSect=T
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName
=WORM%5FSTRATION%2EWO&VSect=T
http://www.symantec.com/enterprise/security_response/writeup.jsp?
docid=2006-091012-5303-99
http://www.symantec.com/enterprise/security_response/writeup.jsp?
docid=2006-092111-0525-99&tabid=1
http://www.symantec.com/enterprise/security_response/writeup.jsp?
docid=2006-092010-3625-99
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Phone: +91-11-24368572
Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003
|
