| Alias/es | W32/Stration.DS!tr.dldr, Email-Worm.Win32.Warezov.dc, W32/Dloader.AHQ!tr.dldr, W32/Dloader.AHR!tr.dldr, W32/Dloader.AHS!tr.dldr, W32/Stratio.AW@mm, W32/Stratio.AY!worm, W32/Stration.AY!worm, W32/Stration.DC@mm, W32/Stration.dr virus, W32/Warezov.DC!worm, W |
| Release Date | Oct 19, 2006 |
| Detection Availability | Current Antivirus Definition Database Version: 11.581 | | Description | Visible Symptoms
- A message box may be displayed on the first execution.
- The file [Number].tmp may exist in the current folder.
- The following files exist in the Windows folder:
- sserrvv.exe
- sserrvv.s
- sserrvv.wax
- The file e1.dll exists in the System folder.
Detailed Analysis
- This malware has two components: a downloader and a mass-mailer.
Downloader Component
- When first executed, it copies itself to the System folder using a randomized filename, such as ytcdcxdmdm.exe. It then runs this copy.
- Drops the file [Number].tmp in the current folder, then opens it using Windows Notepad. This file just contains garbage text strings.
- Displays the following message box:
Title: Information
Message:
Update successfully installed.
|
- The copy of the downloader, which is in the System folder, downloads a file from the following URL, then executes it:
http://www6.vedasetionkderun.com/8[REMOVED].exe
This file is also detected as W32/Stration.DS@mm. It contains the mass-mailing routine of the worm.
Mass-Mailer Component
- Copies itself to the Windows folder as sserrvv.exe, then executes this copy.
- Drops the file e1.dll to the System folder and injects it into running processes that have the following strings:
- vgupsvc
- autodown
- avginet
- drwebupw
- explorer
- kav
- kavsvc
- mcupdate
- nod32krn
- spiderml
- tbmon
- upgrader
- wuauclt
- wuauclt1
- wupdmgr
Autostart Mechanism
- Creates the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
sserrvv = "%WINDOWS%\sserrvv.exe s"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs = "e1.dll"
Email Propagation
- Gathers email addresses from the Microsoft Windows Address Book and from files having the following extensions:
- adb
- asp
- cfg
- cgi
- dbx
- dhtm
- eml
- htm
- html
- jsp
- mbx
- mdx
- mht
- mmf
- msg
- nch
- ods
- oft
- php
- sht
- shtm
- stm
- tbb
- txt
- uin
- wab
- wab
- wsh
- xml
The email addresses are stored in the file sserrvv.wax in the Windows folder.
- Avoids sending emails to addresses that contain any of the following strings:
- .edu
- .gov
- .mil
- @avp
- @foo
- admin
- anyone@
- apache
- berkeley
- bsd
- bugs@
- cafee
- certific
- contact
- contract@
- example
- fido
- ftp
- gnu
- gold-certs
- google
- help
- help@
- ibm.com
- icrosoft
- info@
- kasp
- kernel
- linux
- local
- master
- mozilla
- mydomai
- news
- nobody
- noone
- noreply
- panda
- pgp
- privacy
- rating
- rfc-ed
- ripe.
- root@
- samples
- secure
- sendmail
- service
- somebody
- someone
- spam
- support
- unix
- update
- update
- usenet
- winrar
- winzip
- www
- you
- your
- Uses its own SMTP engine to send itself to email addresses that it finds.
- The email has the following format:
From: [Name1].[Name2]@[Domain]
[Name1] can be one of the following:
- alice
- anna
- betty
- bob
- brenda
- brent
- brian
- carol
- claudia
- craig
- cyber
- dan
- dave
- david
- debby
- den
- Donna
- frank
- george
- gerhard
- helen
- helen
- james
- jane
- jayson
- jerry
- jim
- joe
- john
- karen
- linda
- lisa
- mancy
- maria
- ruth
- sandra
- sandra
- sharon
- Susan
[Name2] can be any of the following:
- adam
- adams
- allen
- anderson
- baker
- carter
- clark
- garcia
- gonzalez
- green
- hall
- harris
- hernandez
- hill
- jackson
- jeremy
- joe
- kenneth
- king
- lee
- lewis
- lopez
- martin
- martinez
- miller
- molly
- moore
- nelson
- robinson
- robyn
- rodriguez
- scott
- shaan
- taylor
- thomas
- thompson
- walker
- white
- wilson
- wright
- young
[Domain] can be any of the following:
- areainc.com
- elamex.com
- fcradio.net
- firstclassmoving.com
- gametemple.com
- guierfence.com
- heatwave.com
- iinet.net.au
- logoluso.com
- megaman.com
- midmich.net
- motorsportwarehouse.com
- niet.com
- phazen.net
- scholzes.com
- selectplans.com
- sycamorepd.com
- telcan.com
- tjh.com
- vieng.com
Subject: one of the following:
- Error
- Good day
- hello
- Mail Delivery System
- Mail Transaction Failed
- picture
- Server Report
- Status
- test
Message Body: one of the following:
|
Mail transaction failed. Partial message is available.
|
The message contains Unicode characters and has been sent
as a binary attachment.
|
The message cannot be represented in 7-bit ASCII encoding
and has been sent as a binary attachment
|
Mail server report.
Our firewall determined the e-mails containing worm copies are being sent from your computer.
Nowadays it happens from many computers, because this is a new virus type (Network Worms).
Using the new bug in the Windows, these viruses infect the computer unnoticeably.
After the penetrating into the computer the virus harvests all the e-mail addresses and sends the copies of itself to these e-mail
addresses
Please install updates for worm elimination and your computer restoring.
Best regards,
Customers support service
|
Attachment: can be any of the following:
- [Filename].[Extension1].[Extension2]
- [Filename].[Extension2]
- attach.zip (contains an EXE file)
- Update-KB[Random Number]-x86.exe
[Filename] can be a random string of characters or any of the following:
- body
- data
- doc
- docs
- document
- file
- message
- readme
- sec
- secur
- serv
- test
- text
[Extension1] can be any of the following:
[Extension2] can be any of the following:
Backdoor and/or Trojan Behavior
- Connects to the following URLs:
- www3.her[REMOVED]oion.com
- http://www2.er[REMOVED]lion.com/cgi-bin/a.cgi
- www2.ve[REMOVED]run.com
|
Description Last Updated Date: Dec 29, 2006
Reference: ID - 298105
|