Win32/Stration [Threat Name]

Detection created2006-08-16
World activity peak 2007-12-04 (1.23 %)

This text describes a family of worms. As there are many different variants of Win32/Stration , some properties may vary.

Short description

Win32/Stration is a worm that spreads via e-mail.

Installation

When executed, the worm copies itself into the %windir% folder using a random filename.


Several other files are dropped in the following folders:

  • %system%
  • %windir%

The following Registry entries are set:

  • HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run
  • HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Windows\­AppInit_DLLs

The entries contain path to worm executables.


A Notepad window with random text may be displayed.

Spreading via e-mail

E-mail addresses for further spreading are searched for in local files. Subject of the message may be one of the following:

  • Error
  • Good day
  • hello
  • Mail Delivery System
  • Mail server report.
  • Mail Transaction Failed
  • picture
  • Server Report
  • Status
  • test

Body of the message may be one of the following:

Mail transaction failed. Partial message is available. The message contains Unicode characters and has been sentas a binary attachment. The message cannot be represented in 7-bit ASCII encodingand has been sent as a binary attachment Mail server report. Our firewall determined the e-mails containing worm copies are being sent from your computer. Nowadays it happens from many computers, because this is a new virus type (Network Worms). Using the new bug in the Windows, these viruses infect the computer unnoticeably. After the penetrating into the computer the virus harvests all the e-mail addresses and sends the copies of itself to these e-mail addresses Please install updates for worm elimination and your computer restoring. Best regards, Customers support service

The attachment is either an executable of the worm, or a ZIP archive containing it.


Its filename may be one of the following:

  • body
  • data
  • doc
  • docs
  • document
  • file
  • message
  • readme
  • test
  • text
  • Update-KB-abcd-x86

The variable "abcd" represents a variable 4 digit number.


A double extension may be used.


The first is one of the following:

  • dat
  • doc
  • elm
  • log
  • msg
  • txt

The second is one of the following:

  • bat
  • cmd
  • exe
  • pif
  • scr

If an archive is attached, the name has the following extension:

  • .zip
Other information

The worm terminates various security related applications.


The worm contains a list of URLs.


It tries to download several files from the addresses.


The files are then executed.

Threat Variants with Description

Threat Variant Name Date Added Threat Type
Win32/Stration.ACL 2014-09-22 trojan,worm
Win32/Stration.HY 2006-10-19 worm
Win32/Stration.FG 2006-10-02 worm
Win32/Stration.FQ 2006-10-02 trojan,worm
Win32/Stration.ET 2006-09-26 worm
Win32/Stration.EH 2006-09-25 worm
Win32/Stration.AA 2006-09-01 worm

Please enable Javascript to ensure correct displaying of this content and refresh this page.