Win32/Stration [Threat Name] go to Threat

Win32/Stration.EH [Threat Variant Name]

Category worm
Size 115 KB
Detection created Sep 25, 2006
Detection database version 1774
Aliases Email-Worm.Win32.Warezov.at (Kaspersky)
Short description

Win32/Stration.EH is a worm that spreads via e-mail.

Installation

When executed, the worm copies itself into the %windir% folder using the following name:

  • t2serv.exe

The following files are dropped in the same folder:

  • t2serv.dll
  • t2serv.wax
  • t2serv.z
  • t2serv.s

The following files are dropped into the %system% folder:

  • dminspxc.exe
  • e1.dll
  • insehype.dll
  • rdchtool.dll

In order to be executed on every system start, the worm sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "t2serv" = "%windir%\­t2serv.exe"

The following Registry entry is set:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Windows]
    • "AppInit_DLLs" = "rdchtool.dll e1.dll"
Spreading via e-mail

E-mail addresses for further spreading are searched for in local files with one of the following extensions:

  • adb
  • asp
  • cfg
  • cgi
  • dbx
  • dhtm
  • eml
  • htm
  • html
  • jsp
  • mbx
  • mdx
  • mht
  • mmf
  • msg
  • nch
  • ods
  • oft
  • php
  • pl
  • sht
  • shtm
  • stm
  • tbb
  • txt
  • uin
  • wab
  • wsh
  • xml

Addresses containing the following strings are avoided:

  • .edu
  • .gov
  • .mil
  • @avp
  • @foo
  • admin
  • anyone@
  • apache
  • berkeley
  • bugs@
  • cafee
  • certific
  • contact
  • contract@
  • example
  • fido
  • gold-certs
  • google
  • help
  • help@
  • ibm.com
  • icrosoft
  • info@
  • kasp
  • kernel
  • linux
  • local
  • master
  • mozilla
  • mydomai
  • news
  • nobody
  • noone
  • noreply
  • panda
  • privacy
  • rating
  • rfc-ed
  • ripe.
  • root@
  • samples
  • secure
  • sendmail
  • service
  • somebody
  • someone
  • spam
  • support
  • unix
  • update
  • usenet
  • winrar
  • winzip
  • your

Subject of the message is one of the following:

  • Error
  • Good day
  • hello
  • Mail Delivery System
  • Mail server report.
  • Mail Transaction Failed
  • picture
  • Server Report
  • Status
  • test

Body of the message is one of the following:

Mail transaction failed. Partial message is available. Mail server report. Our firewall determined the e-mails containing worm copies are being sent from your computer. Nowadays it happens from many computers, because this is a new virus type (Network Worms). Using the new bug in the Windows, these viruses infect the computer unnoticeably. After the penetrating into the computer the virus harvests all the e-mail addresses and sends the copies of itself to these e-mail addresses Please install updates for worm elimination and your computer restoring. Best regards, Customers support service The message contains Unicode characters and has been sent as a binary attachment. The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment

The attachment is either an executable of the worm, or a ZIP archive containing it.


Its filename is one of the following:

  • body
  • doc
  • file
  • message
  • readme
  • test
  • Update-KB1203-x86
  • Update-KB1375-x86
  • Update-KB1656-x86
  • Update-KB1781-x86
  • Update-KB1968-x86
  • Update-KB2875-x86
  • Update-KB2937-x86
  • Update-KB6843-x86
  • Update-KB7578-x86
  • Update-KB7687-x86
  • Update-KB8203-x86
  • Update-KB9093-x86
  • Update-KB9171-x86
  • Update-KB9765-x86
  • Update-KB9812-x86

A double extension may be used.


The first is one of the following:

  • .dat
  • .elm
  • .log
  • .txt

The second is one of the following:

  • .bat
  • .exe
  • .pif
  • .scr

If an archive is attached, the name has the following extension:

  • .zip

Please enable Javascript to ensure correct displaying of this content and refresh this page.