Win32/Stration [Threat Name] go to Threat

Win32/Stration.ACL [Threat Variant Name]

Category trojan,worm
Size 122369 B
Detection created Sep 22, 2014
Detection database version 10448
Aliases Email-Worm.Win32.Warezov.ali (Kaspersky)
  Trojan.Proxy.2413 (Dr.Web)
  Worm:Win32/Stration.DU@mm (Microsoft)
  Backdoor.Trojan (Symantec)
Short description

The trojan serves as a proxy server. The trojan is usually a part of other malware.

Installation

The trojan does not create any copies of itself.


The trojan creates the following files:

  • %windir%\­system32\­diagisr.dll
  • %windir%\­system32\­isrprf32.dll
  • %windir%\­system32\­isrprov.exe

The trojan may create the following files:

  • %windir%\­system32\­sysnt.dat
  • %temp%\­temp_%number%.bat

The %number% represents a random number.


In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "himem.exe" = "%malwarefilepath% -s"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "SoundMnEx32" = "%malwarefilepath%"

The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­SharedAccess\­Parameters\­FirewallPolicy\­StandardProfile\­AuthorizedApplications\­List]
    • "%malwarefilepath%" = "%malwarefilepath%:*:Enabled:SystemVersion"

The performed data entry creates an exception in the Windows Firewall program.


The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Windows]
    • "AppInit_DLLs" = "%originalvalue% diagisr.dll"

This way the trojan ensures that the libraries with the following names will be injected into all running processes:

  • diagisr.dll
Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a URL address. The HTTP, TCP, UDP protocol is used in the communication.


The trojan opens TCP port 80 .


A HTTP proxy is listening there.


The trojan opens some UPD ports:

  • 53
  • 42771

The trojan executes the following files:

  • %windir%\­system32\­pvjirreg.exe

Please enable Javascript to ensure correct displaying of this content and refresh this page.