Virus Encyclopedia

I-Worm/Stration

Names,aliases:

Win32/Stration.worm.Gen (AhnLab-V3), TR/Crypt.CFI.Gen (AntiVir), W32/Document-disguised-based!Maximus (Authentium), Win32.Warezov (BitDefender), DNAScan (CAT-QuickHeal), Worm.Stration (ClamAV), Win32.HLLM.Limar (DrWeb), Win32.Warezov.gen (eSafe), Worm.Warezov (Ewido), W32/Stration (Fortinet), W32/Document-disguised-based!Maximus (F-Prot), Email-Worm.Win32.Warezov (Ikarus), Email-Worm.Win32.Warezov (Kaspersky), W32/Strationr (McAfee), TrojanDownloader:Win32/Stration - VirTool:Win32/Obfuscator (Microsoft), Win32/Stration (NOD32v2), W32/Stration (Norman), Trj/SpamtaLoad (Panda), Mal/Packer (Sophos), Trojan-Downloader.Win32.Stration (Sunbelt), W32.Stration!dldr (Symantec), W32/Warezov (TheHacker), MalwareScope.Worm.Warezov (VBA32), I-Worm.Opnis (VirusBuster), Trojan.Crypt.CFI.Gen (Webwasher-Gateway)

Behavior:

Worm, spreading itself in e-mail or ICQ/MSN/SKYPE messages.

Description:

Upon running, makes a copy of itself in the System32folder and installs its components. Adds a link to the main executable file in the registry: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Runto ensure execution with ever start-up of the system. Componets are in the keys: HKLM\SOFTWARE\Microsoft\Windows NT urrentVersion\Windows, item "AppInit_DLLs"and some variants in: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify.

Using more or all keys is common, writing a component twice in the same key is also possible.

Spreading: E-mail
The Worm sends messages with false sender e-mail and name, subject is mostly:
Error
Good Day
hello
Mail Delivery System
Mail server report
Mail Transaction Failed
picture
Server Report
Status
test
Your information

This can depend on the variant of the worm.

Message contain an executable attachment named - for example:
body.*
test.*
text.*
Update-KBXXXX-x86.*
Access.*

Note: XXXX is a four digit random number.

New variants of the worm add attachments *.pdf (for example invoices) to confuse the recipient.

The Worm sends these messages without the user's permission or knowledge to e-mail addresses taken from the user's Windows Address Book. These messages contain executable attachments. The attachment has two extensions (to trick the user and hide the executable extension). Only the attachment update-KB.exe displays the .EXE extension properly. When the attachment is executed, the target computer is infected. The Worm uses its own built in SMPT client for sending messages. It uses the SMTP server address from the user's default e-mail account.

Spreading: ICQ/MSN/SKYPE
The Worm sends messages with a false sender name, and a message such as this:

Look, a new office killer game. Go download and join the rest of us!
My nick there is Miril!

The message contains a link to a primary infector. For example:

http:/ .... /msdfg.zip

the exact server and file names depend on the variant.

The Worm sends these messages without the user's permission or knowledge to his contacts from the attacked chat client application. When the link is executed (the user ignores any security warning), the target computer becomes infected.

For both variants, this part of the worm's behavior is very variable.

Payload:

Various modifications of the worm try to download (via http) one or more files from the Internet. Server and file names are variable.

The Worm blocks some security software, for example various firewalls, antivirus programs and so on. It stops services belonging to that software, or redirects servers.

In the case of AVG (but also for many other antivirus applications), the worm disables the download of update files by modifying the Hostsfile. It redirects the update server addresses in this file. (Explanation: The TCP/IP stack uses this file as its first choice when performing translation of IP addresses from the server's name. When the name is found in the file, the IP stack does not query the DNS servers).

Latest news is that new versions of the worm are using process injecting. This technology allows the worm to hide itself from firewalls. Usual victims are mainly Internet Explorer and other browsers.

Some versions of the worm can cause a crash of Explorer, or can disable the save command in notepad, or can disable usage of Regeditor can download other malware from the Internet.

Update-KB.exe, upon running, will sometimes display a message about successful installation.

Removing:

Delete all I-Worm/Stration detected files. For this purpose you can use the vcleaner utility.

AVG ADVANCED VIRUS REMOVAL A seriously deep cleanse for your computer provided by Virgin Digital Help. CALL 0800 975 1179 - OR - Get live help now payment options
Use of AVG Premium Support service constitutes an acceptance of Virgin Digital Help Terms of Service & Privacy Policy