Content

W32/Stration.dr

Type
Virus
SubType
Dropper
Discovery Date
09/25/2006
Length
varies
Minimum DAT
4859 (09/25/2006)
Updated DAT
5189 (12/19/2007)
Minimum Engine
5.1.00
Description Added
09/25/2006
Description Modified
10/26/2006 3:29 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

-- Update October 26, 2006 --

This latest variant downloads binary files from different URLs from those in the past. The current URLs in use are listed below:

www6.fandesjinkderunha.com/chr/829/[hidden]
www2.ertinmdesachlion.com.com/cgi-bin/[hidden]

Other URLs are believed to be in use and will be updated here as soon as possible.

Once executed this latest variant displays the fake "error" error message below:

Email attachment filenames differ between two typical types:

1. Spoof "update" filenames using the following convention:

Update-KB[number]-x86.[extension]

Where [number] is seemingly random to represent a knowledge base number relating to a patch or similar and where [extension] is either .exe or .zip.

2. Double extension filenames using the following convention:

[stub].[ext1].[ext2]

Where [stub] includes, but is not limited to test; text; doc; body; docs; document. Where [ext1] is one of txt; dat; msg and [ext2] is one of bat; cmd; exe.

-- end update --

There are several variants of this worm. The characteristics of this worm with regard to filenames, registry keys, domain, etc will differ. Hence, this is a general description.

Upon execution, the worm opens notepad and display a text file with random characters:


It creates a copy of itself into the Windows directory:

  • %WINDIR%\t2serv.exe ( 117363 bytes )

(Where %WinDir% usually refers to the c:\windows\ directory)

Then it drops the following files.

  • %SYSTEMDIR%\rsmpmsim.exe ( 12288 bytes ) W32/Stration@MM virus
  • %SYSTEMDIR%\cdoskbdu.dll ( 20480 bytes )  W32/Stration@MM virus
  • %WINDIR%\t2serv.dll ( 6656 bytes )        W32/Stration@MM virus
  • %SYSTEMDIR%\icaacsrs.dll ( 28672 bytes )  W32/Stration@MM virus    
  • %SYSTEMDIR%\e1.dll ( 8192 bytes )         W32/Stration@MM virus
  • %WINDIR%\t2serv.wax

The dll files are injected into the process "explorer.exe". The worm the following registry keys.

  • hkey_local_machine\software\microsoft\windows\currentversion\run
    \t2serv="%WINDIR%\t2serv.exe s"
  • hkey_local_machine\software\microsoft\windows nt\currentversion
    \windows\appinit_dlls=" icaacsrs.dll e1.dll"

It attempts to download files from the following sites.

  • www2.vertionkdase<REMOVED>.com
  • www3.vertionkdase<REMOVED>.com
  • www4.vertionkdase<REMOVED>.com
  • www6.vertionkdase<REMOVED>.com

Symptoms

-- Update October 26, 2006 --

HTTP traffic or DNS requests to the URLs mentioned on the characteristics tab.

DNS MX record requests for some known mail servers.

-- end update --

  • Existence of mentioned files and registry keys

Method of Infection

For further information regarding the Method of Infection please see W32/Stration@MM description.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

-- Update October 26, 2006 --

Another variant of this worm is in the wild. Please view the characteristics tab for more information on this latest variant.

-- end update --

The W32/Stration.dr virus drops the mass mailing worm W32/Stration@MM. that uses its own SMTP engine to send itself to the email addresses that it harvests on the infected computer. The W32/Stration.dr is written using Microsoft Visual C++ and also contains functionality to connect to a remote web server to download a file.

Characteristics

Characteristics -

-- Update October 26, 2006 --

This latest variant downloads binary files from different URLs from those in the past. The current URLs in use are listed below:

www6.fandesjinkderunha.com/chr/829/[hidden]
www2.ertinmdesachlion.com.com/cgi-bin/[hidden]

Other URLs are believed to be in use and will be updated here as soon as possible.

Once executed this latest variant displays the fake "error" error message below:

Email attachment filenames differ between two typical types:

1. Spoof "update" filenames using the following convention:

Update-KB[number]-x86.[extension]

Where [number] is seemingly random to represent a knowledge base number relating to a patch or similar and where [extension] is either .exe or .zip.

2. Double extension filenames using the following convention:

[stub].[ext1].[ext2]

Where [stub] includes, but is not limited to test; text; doc; body; docs; document. Where [ext1] is one of txt; dat; msg and [ext2] is one of bat; cmd; exe.

-- end update --

There are several variants of this worm. The characteristics of this worm with regard to filenames, registry keys, domain, etc will differ. Hence, this is a general description.

Upon execution, the worm opens notepad and display a text file with random characters:


It creates a copy of itself into the Windows directory:

  • %WINDIR%\t2serv.exe ( 117363 bytes )

(Where %WinDir% usually refers to the c:\windows\ directory)

Then it drops the following files.

  • %SYSTEMDIR%\rsmpmsim.exe ( 12288 bytes ) W32/Stration@MM virus
  • %SYSTEMDIR%\cdoskbdu.dll ( 20480 bytes )  W32/Stration@MM virus
  • %WINDIR%\t2serv.dll ( 6656 bytes )        W32/Stration@MM virus
  • %SYSTEMDIR%\icaacsrs.dll ( 28672 bytes )  W32/Stration@MM virus    
  • %SYSTEMDIR%\e1.dll ( 8192 bytes )         W32/Stration@MM virus
  • %WINDIR%\t2serv.wax

The dll files are injected into the process "explorer.exe". The worm the following registry keys.

  • hkey_local_machine\software\microsoft\windows\currentversion\run
    \t2serv="%WINDIR%\t2serv.exe s"
  • hkey_local_machine\software\microsoft\windows nt\currentversion
    \windows\appinit_dlls=" icaacsrs.dll e1.dll"

It attempts to download files from the following sites.

  • www2.vertionkdase<REMOVED>.com
  • www3.vertionkdase<REMOVED>.com
  • www4.vertionkdase<REMOVED>.com
  • www6.vertionkdase<REMOVED>.com

Symptoms

Symptoms -

-- Update October 26, 2006 --

HTTP traffic or DNS requests to the URLs mentioned on the characteristics tab.

DNS MX record requests for some known mail servers.

-- end update --

  • Existence of mentioned files and registry keys

Method of Infection

Method of Infection -

For further information regarding the Method of Infection please see W32/Stration@MM description.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A