Content

W32/Stration@MM

Type
Virus
SubType
Email
Discovery Date
08/15/2006
Length
varies
Minimum DAT
4830 (08/15/2006)
Updated DAT
5662 (06/30/2009)
Minimum Engine
5.1.00
Description Added
08/15/2006
Description Modified
09/01/2007 10:21 PM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

-- Update September 1, 2007 --

Another variant using instant messenging to send links to infect files was recently discovered in the wild. Instead of using Skype Chat, this threat was found to be messages containing links to infected files over MSN Messenger such as:

Here are new smiles for MSN, they are incredible!

http://{blocked}.vabaominheran.com/smiles/{blocked}/

Please refer to the Characteristics section for other details of this threat.

----

Upon execution,  it opens notepad and displays a text file with random characters:



Creates a copy of itself into the Windows directory:


%Windir%\svchost32.exe


Marks itself for deletion the next time Windows starts via the registry key:


HKEY_LOCAL_MACHINE\System\ControlSet\Control\Session Manager
"PendingFileRenameOperations" =  "%Windir%\svchost32.exe"


-- Update March 1, 2007 --


A new variant has been seen in the wild which uses Skype Chat to send links to itself.


When run, it creates the following files:


  • %SysDir%\drmvndde.dll ( 143360 bytes )
  • %SysDir%\drmvndde.exe ( 119335 bytes )
  • %SysDir%\nv4_icm3.dll ( 24576 bytes )
  • %SysDir%\vsutxpob.dll ( 57344 bytes )
  • %SysDir%\kbdfnmmk.exe ( 49152 bytes )
  • %SysDir%\drmvndde.dat

The following registry key is created to register itself as a service:


  • hkey_local_machine\software\microsoft\windows nt\currentversion
    \winlogon\notify\drmvndde

The following registry key is created to load the DLL file in question with each running process:


  • hkey_local_machine\software\microsoft\windows nt\currentversion
    \windows\appinit_dlls=" nv4_icm3.dll"

It also attempts to connect to the following website:


  • kedfinhderionkadesunpas.com

Symptoms

W32/Stration@MM creates multiple copies of itself using filenames with double extension in the user's temp folder.

Example: %Userprofile%\Local Settings\Temp\document.txt                          .cmd

Note: The worm inserts multiple blank spaces between the two file extensions.

The following combinations of filename and extensions are used:

Filename:

body
data
doc
docs
document
file
message
readme
test
text

First Extension:

.dat
.elm
.log
.msg
.txt

Second Extension:

.bat
.cmd
.exe
.pif
.scr

Downloader Component:

W32/Stration@MM  attempts to connect to the following url to download a file:

  • http://strationee.com/chr/[Removed]

NOTE: At the time of writing this description, McAfee Avert did not see the downloading of any files as they may have been moved or deleted at the remote site.

Method of Infection

Propagation via Mail:

Mailbody:

The following files types are read by the worm in order to harvest email addresses from an infected system.

adb
asp
cfg
cgi
dbx
dhtm   
eml
htm
html   
jsp
mbx
mdx
mht
mmf
msg
nch
ods
oft
php
pl 
sht
shtm
stm
tbb
txt
uin
wab
wsh
xls
xml

Mailbody:

Constructs an email message with the following characteristics:



From: [Spoofed]

Subject: (Any of the following)

Error
Good Day
Mail Delivery System
Mail Transaction Failed
Server Report
Status
hello
picture
test

Message body:  (Any of the following)

Mail transaction failed. Partial message is available.
The message contains Unicode characters and has been sentas a binary attachment.
The message cannot be represented in 7-bit ASCII encodingand has been sent as a binary attachment

Attachment: (Any of the following)

Filename:

body
data
doc
docs
document
file
message
readme
test
text

First Extension:

.dat
.elm
.log
.msg
.txt

Second Extension:

.bat
.cmd
.exe
.pif
.scr

Note: The worm inserts multiple blank spaces between the two file extensions.

 

Removal

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

-- Update September 1, 2007 --

Another variant using instant messenging to send links to infect files was recently discovered in the wild. Instead of using Skype Chat, this threat was found to be messages containing links to infected files over MSN Messenger such as:

Here are new smiles for MSN, they are incredible!

http://{blocked}.vabaominheran.com/smiles/{blocked}/

Please refer to the Characteristics section for other details of this threat.

-- Update March 1, 2007 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.theregister.co.uk/2007/02/28/warezov_skype_im_worm/

-- Update March 1, 2007 --

Another variant has been seen in the wild which uses Skype Chat to send links to infected files.  More details on this specific variant can be found at the end of the Characteristics section of this description.

-- Update October 26, 2006 --

Another variant has been seen in the wild. Please view W32/Stration.dr VIL entry for more information on this latest variant.

-- Update September 25, 2006 --

W32/Stration@MM has been deemed Low-Profiled due to McAfee Avert Labs receiving several newly spammed variants of this virus. 

W32/Stration@MM is a mass mailing worm that uses its own SMTP engine to send itself to the email addresses that it harvests on the infected computer. W32/Stration@MM is written using Microsoft Visual C++ and also contains functionality to connect to a remote web server to download a file.

Aliases

  • Email-Worm.Win32.Warezov.a (Kaspersky)
  • W32.Stration.A@mm (Symantec)
  • W32/Spamta.A.worm (Panda)
  • W32/Stration-A (Sophos)
  • W32/Stration.A (Norman)
  • W32/Stration@mm (Fortinet)
  • Win32/Stration.A (ESET)
  • Worm.Stration.A (ClamAV)
  • WORM_STRATION.A (Trend Micro)

Characteristics

Characteristics -

-- Update September 1, 2007 --

Another variant using instant messenging to send links to infect files was recently discovered in the wild. Instead of using Skype Chat, this threat was found to be messages containing links to infected files over MSN Messenger such as:

Here are new smiles for MSN, they are incredible!

http://{blocked}.vabaominheran.com/smiles/{blocked}/

Please refer to the Characteristics section for other details of this threat.

----

Upon execution,  it opens notepad and displays a text file with random characters:



Creates a copy of itself into the Windows directory:


%Windir%\svchost32.exe


Marks itself for deletion the next time Windows starts via the registry key:


HKEY_LOCAL_MACHINE\System\ControlSet\Control\Session Manager
"PendingFileRenameOperations" =  "%Windir%\svchost32.exe"


-- Update March 1, 2007 --


A new variant has been seen in the wild which uses Skype Chat to send links to itself.


When run, it creates the following files:


  • %SysDir%\drmvndde.dll ( 143360 bytes )
  • %SysDir%\drmvndde.exe ( 119335 bytes )
  • %SysDir%\nv4_icm3.dll ( 24576 bytes )
  • %SysDir%\vsutxpob.dll ( 57344 bytes )
  • %SysDir%\kbdfnmmk.exe ( 49152 bytes )
  • %SysDir%\drmvndde.dat

The following registry key is created to register itself as a service:


  • hkey_local_machine\software\microsoft\windows nt\currentversion
    \winlogon\notify\drmvndde

The following registry key is created to load the DLL file in question with each running process:


  • hkey_local_machine\software\microsoft\windows nt\currentversion
    \windows\appinit_dlls=" nv4_icm3.dll"

It also attempts to connect to the following website:


  • kedfinhderionkadesunpas.com

Symptoms

Symptoms -

W32/Stration@MM creates multiple copies of itself using filenames with double extension in the user's temp folder.

Example: %Userprofile%\Local Settings\Temp\document.txt                          .cmd

Note: The worm inserts multiple blank spaces between the two file extensions.

The following combinations of filename and extensions are used:

Filename:

body
data
doc
docs
document
file
message
readme
test
text

First Extension:

.dat
.elm
.log
.msg
.txt

Second Extension:

.bat
.cmd
.exe
.pif
.scr

Downloader Component:

W32/Stration@MM  attempts to connect to the following url to download a file:

  • http://strationee.com/chr/[Removed]

NOTE: At the time of writing this description, McAfee Avert did not see the downloading of any files as they may have been moved or deleted at the remote site.

Method of Infection

Method of Infection -

Propagation via Mail:

Mailbody:

The following files types are read by the worm in order to harvest email addresses from an infected system.

adb
asp
cfg
cgi
dbx
dhtm   
eml
htm
html   
jsp
mbx
mdx
mht
mmf
msg
nch
ods
oft
php
pl 
sht
shtm
stm
tbb
txt
uin
wab
wsh
xls
xml

Mailbody:

Constructs an email message with the following characteristics:



From: [Spoofed]

Subject: (Any of the following)

Error
Good Day
Mail Delivery System
Mail Transaction Failed
Server Report
Status
hello
picture
test

Message body:  (Any of the following)

Mail transaction failed. Partial message is available.
The message contains Unicode characters and has been sentas a binary attachment.
The message cannot be represented in 7-bit ASCII encodingand has been sent as a binary attachment

Attachment: (Any of the following)

Filename:

body
data
doc
docs
document
file
message
readme
test
text

First Extension:

.dat
.elm
.log
.msg
.txt

Second Extension:

.bat
.cmd
.exe
.pif
.scr

Note: The worm inserts multiple blank spaces between the two file extensions.

 

Removal -

Removal -

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A