Win32/Stration [Threat Name] go to Threat

Win32/Stration.FG [Threat Variant Name]

Category worm
Size 145 KB
Short description

Win32/Stration.FG is a worm that spreads via e-mail.

Installation

When executed, the worm copies itself into the %windir% folder using the following name:

  • serv.exe

The following files are dropped in the same folder:

  • serv.dll
  • serv.wax
  • serv.s
  • serv.z

The following files are dropped into the %system% folder:

  • e1.dll
  • rasaw32t.dll
  • rdpwvbsc.exe
  • wmisshim.dll

In order to be executed on every system start, the worm sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "serv" = "%windir%\­serv.exe s"

The following Registry entry is set:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Windows]
    • "AppInit_DLLs" = "rwmisshim.dll e1.dll"
Spreading via e-mail

E-mail addresses for further spreading are searched for in local files.


Subject of the message is one of the following:

  • Error
  • Good Day
  • hello
  • Mail Delivery System
  • Mail server report.
  • Mail Transaction Failed
  • picture
  • Server Report
  • Status
  • test

Body of the message is one of the following:

Mail transaction failed. Partial message is available. Mail server report. Our firewall determined the e-mails containing worm copies are being sent from your computer. Nowadays it happens from many computers, because this is a new virus type (Network Worms). Using the new bug in the Windows, these viruses infect the computer unnoticeably. After the penetrating into the computer the virus harvests all the e-mail addresses and sends the copies of itself to these e-mail addresses Please install updates for worm elimination and your computer restoring. Best regards, Customers support service The message contains Unicode characters and has been sent as a binary attachment. The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment

The attachment is either an executable of the worm, or a ZIP archive containing it.


Its filename is one of the following:

  • body
  • data
  • doc
  • docs
  • document
  • file
  • readme
  • test
  • text
  • Update-KB1125-x86
  • Update-KB2203-x86
  • Update-KB2781-x86
  • Update-KB2812-x86
  • Update-KB3000-x86
  • Update-KB4937-x86
  • Update-KB5093-x86
  • Update-KB6375-x86
  • Update-KB7484-x86
  • Update-KB1203-x86
  • Update-KB1375-x86
  • Update-KB1656-x86
  • Update-KB1781-x86
  • Update-KB1968-x86
  • Update-KB2875-x86
  • Update-KB2937-x86
  • Update-KB6843-x86
  • Update-KB7578-x86
  • Update-KB7687-x86
  • Update-KB8203-x86
  • Update-KB9093-x86
  • Update-KB9171-x86
  • Update-KB9765-x86
  • Update-KB9812-x86

A double extension may be used.


The first is one of the following:

  • .dat
  • .elm
  • .log
  • .msg
  • .txt

The second is one of the following:

  • .bat
  • .cmd
  • .exe
  • .scr

If an archive is attached, the name has the following extension:

  • .zip

Please enable Javascript to ensure correct displaying of this content and refresh this page.