Win32/Stration [Threat Name] go to Threat

Win32/Stration.ET [Threat Variant Name]

Category worm
Size 116320 B
Aliases Email-Worm.Win32.Warezov.gen (Kaspersky)
  W32/Stration@MM (McAfee)
  W32.Stration@mm (Symantec)
Short description

Win32/Stration.ET is a worm that spreads via e-mail.

Installation

When executed, the worm copies itself into the %windir% folder using the following name:

  • t2serv.exe

The following files are dropped in the same folder:

  • t2serv.dll
  • t2serv.wax
  • t2serv.s

The following files are dropped into the %system% folder:

  • kbdaqosn.dll
  • mqpeh323.dll
  • vjoyslay.exe

In order to be executed on every system start, the worm sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "t2serv" = "%windir%\­t2serv s"

The following Registry entry is set:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Windows]
    • "AppInit_DLLs" = "kbdaqosn.dll e1.dll"

A Notepad window with random text is displayed.

Spreading via e-mail

E-mail addresses for further spreading are searched for in local files with one of the following extensions:

  • .adb
  • .asp
  • .cfg
  • .cgi
  • .dbx
  • .dhtm
  • .eml
  • .htm
  • .html
  • .jsp
  • .mbx
  • .mdx
  • .mht
  • .mmf
  • .msg
  • .nch
  • .ods
  • .oft
  • .php
  • .sht
  • .shtm
  • .stm
  • .tbb
  • .txt
  • .uin
  • .wab
  • .wsh
  • .xls
  • .xml

Addresses containing the following strings are avoided:

  • .edu
  • .gov
  • .mil
  • @avp
  • @foo
  • admin
  • anyone@
  • apache
  • berkeley
  • bsd
  • bugs@
  • cafee
  • certific
  • contact
  • contract@
  • example
  • fido
  • ftp
  • gnu
  • gold-certs
  • google
  • help
  • help@
  • ibm.com
  • icrosoft
  • info@
  • kasp
  • kernel
  • linux
  • local
  • master
  • mozilla
  • mydomai
  • news
  • nobody
  • noone
  • noreply
  • panda
  • pgp
  • privacy
  • rating
  • rfc-ed
  • ripe.
  • root@
  • samples
  • secure
  • sendmail
  • service
  • somebody
  • someone
  • spam
  • support
  • unix
  • update
  • update
  • usenet
  • winrar
  • winzip
  • www
  • xx
  • you
  • your

Strings from the following (4) lists may be used to form the sender address:

  • sec
  • serv
  • secur
  • adam
  • alice
  • anna
  • betty
  • bob
  • brenda
  • brent
  • brian
  • carol
  • claudia
  • craig
  • cyber
  • dan
  • dave
  • david
  • debby
  • den
  • Donn
  • frank
  • george
  • gerhard
  • helen
  • james
  • jane
  • jayson
  • jerry
  • jim
  • joe
  • john
  • karen
  • linda
  • lisa
  • mancy
  • maria
  • ruth
  • sandra
  • sharon
  • Susan
  • adams
  • allen
  • anderson
  • baker
  • carter
  • clark
  • garcia
  • gonzalez
  • green
  • hall
  • harris
  • hernandez
  • hill
  • jackson
  • jeremy
  • joe
  • kenneth
  • king
  • lee
  • lewis
  • lopez
  • martin
  • martinez
  • miller
  • molly
  • moore
  • nelson
  • robinson
  • robyn
  • rodriguez
  • scott
  • shaan
  • taylor
  • thomas
  • thompson
  • walker
  • white
  • wilson
  • wright
  • young
  • areainc.com
  • logoluso.com
  • heatwave.com
  • megaman.com
  • scholzes.com
  • guierfence.com
  • tjh.com
  • phazen.net
  • fcradio.net
  • niet.com
  • gametemple.com
  • midmich.net
  • vieng.com
  • elamex.com
  • sycamorepd.com
  • selectplans.com
  • motorsportwarehouse.com
  • telcan.com
  • iinet.net.au
  • firstclassmoving.com

Subject of the message is one of the following:

  • Mail server report.
  • Server Report
  • Mail Delivery System
  • test
  • picture
  • hello
  • Status
  • Error
  • Good day
  • Mail Transaction Failed

Body of the message is one of the following:

Mail transaction failed. Partial message is available. The message contains Unicode characters and has been sentas a binary attachment. The message cannot be represented in 7-bit ASCII encodingand has been sent as a binary attachment Mail server report. Our firewall determined the e-mails containing worm copies are being sent from your computer. Nowadays it happens from many computers, because this is a new virus type (Network Worms). Using the new bug in the Windows, these viruses infect the computer unnoticeably. After the penetrating into the computer the virus harvests all the e-mail addresses and sends the copies of itself to these e-mail addresses Please install updates for worm elimination and your computer restoring. Best regards, Customers support service

The attachment is either an executable of the worm, or a ZIP archive containing it.


Its filename is one of the following:

  • body
  • data
  • doc
  • docs
  • document
  • file
  • message
  • readme
  • test
  • text
  • Update-KB-abcd-x86

The variable "abcd" represents a variable 4 digit number.


A double extension may be used.


The first is one of the following:

  • dat
  • doc
  • elm
  • log
  • msg
  • txt

The second is one of the following:

  • bat
  • cmd
  • exe
  • pif
  • scr

If an archive is attached, the name has the following extension:

  • .zip
Other information

The worm quits immediately if any of the following applications is detected:

  • Outpost Firewall
  • McAfee Personal Firewall
  • Kerio Winroute Firewall
  • ZoneAlarm
  • Sygate Personal Firewall
  • Norton Internet Security

The following programs are terminated:

  • nod32krn
  • avginet
  • avgupsvc
  • upgrader
  • drwebupw
  • spiderml
  • autodown
  • kav
  • mcupdate
  • tbmon
  • wuauclt
  • wuauclt1
  • wupdmgr

The worm contains a list of URLs.


It tries to download several files from the addresses.


The files are then executed.

Please enable Javascript to ensure correct displaying of this content and refresh this page.