Win32/Stration [Threat Name] go to Threat

Win32/Stration.HY [Threat Variant Name]

Category worm
Size 134144 B
Aliases W32.Stration.CX@mm (Symantec)
  Email-Worm.Win32.Warezov.dc (Kaspersky)
  W32/Stration.dr (McAfee)
Short description

Win32/Stration.HY is a worm that spreads via e-mail. The worm terminates various security related applications. The file is run-time compressed using UPX .

Installation

When executed, the worm copies itself into the

  • %windir%

folder using the following name:

  • serrv.exe

The following files are dropped in the same folder:

  • serrv.wax
  • serrv.s

The following file is dropped into the %system% folder:

  • e1.dll

The library e1.dll is loaded and injected into the following process:

  • explorer.exe

In order to be executed on every system start, the worm sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "serrv" = "%windir%\­serrv.exe s"

The following Registry entry is set:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Windows]
    • "AppInit_DLLs" = "e1.dll"
Spreading via e-mail

E-mail addresses for further spreading are searched for in local files with one of the following extensions:

  • .adb
  • .asp
  • .cfg
  • .cgi
  • .dbx
  • .dhtm
  • .eml
  • .htm
  • .html
  • .jsp
  • .mbx
  • .mdx
  • .mht
  • .mmf
  • .msg
  • .nch
  • .ods
  • .oft
  • .php
  • .pl
  • .sht
  • .shtm
  • .stm
  • .tbb
  • .txt
  • .uin
  • .wab
  • .wsh
  • .xls
  • .xml

Addresses containing the following strings are avoided:

  • .edu
  • .gov
  • .mil
  • @avp
  • @foo
  • admin
  • anyone@
  • apache
  • berkeley
  • bsd
  • bugs@
  • cafee
  • certific
  • contact
  • contract@
  • example
  • fido
  • ftp
  • gnu
  • gold-certs
  • google
  • help
  • help@
  • ibm.com
  • icrosoft
  • info@
  • kasp
  • kernel
  • linux
  • local
  • master
  • mozilla
  • mydomai
  • news
  • nobody
  • noone
  • noreply
  • panda
  • pgp
  • privacy
  • rating
  • rfc-ed
  • ripe.
  • root@
  • samples
  • secure
  • sendmail
  • service
  • somebody
  • someone
  • spam
  • support
  • unix
  • update
  • update
  • usenet
  • user
  • winrar
  • winzip
  • www
  • x
  • xx
  • you
  • your

Strings from the following (4) lists may be used to form the sender address:

  • sec
  • serv
  • secur
  • adam
  • alice
  • anna
  • betty
  • bob
  • brenda
  • brent
  • brian
  • carol
  • claudia
  • craig
  • cyber
  • dan
  • dave
  • david
  • debby
  • den
  • Donn
  • frank
  • george
  • gerhard
  • helen
  • james
  • jane
  • jayson
  • jerry
  • jim
  • joe
  • john
  • karen
  • linda
  • lisa
  • mancy
  • maria
  • ruth
  • sandra
  • sharon
  • Susan
  • adams
  • allen
  • anderson
  • baker
  • carter
  • clark
  • garcia
  • gonzalez
  • green
  • hall
  • harris
  • hernandez
  • hill
  • jackson
  • jeremy
  • joe
  • kenneth
  • king
  • lee
  • lewis
  • lopez
  • martin
  • martinez
  • miller
  • molly
  • moore
  • nelson
  • robinson
  • robyn
  • rodriguez
  • scott
  • shaan
  • taylor
  • thomas
  • thompson
  • walker
  • white
  • wilson
  • wright
  • young
  • areainc.com
  • elamex.com
  • fcradio.net
  • firstclassmoving.com
  • gametemple.com
  • guierfence.com
  • heatwave.com
  • iinet.net.au
  • logoluso.com
  • megaman.com
  • midmich.net
  • motorsportwarehouse.com
  • niet.com
  • phazen.net
  • selectplans.com
  • scholzes.com
  • sycamorepd.com
  • telcan.com
  • tjh.com
  • vieng.com

Subject of the message is one of the following:

  • Mail server report.
  • Server Report
  • Mail Delivery System
  • test
  • picture
  • hello
  • Status
  • Error
  • Good day
  • Mail Transaction Failed

Body of the message is one of the following:

Mail transaction failed. Partial message is available. The message contains Unicode characters and has been sentas a binary attachment. The message cannot be represented in 7-bit ASCII encodingand has been sent as a binary attachment Mail server report. Our firewall determined the e-mails containing worm copies are being sent from your computer. Nowadays it happens from many computers, because this is a new virus type (Network Worms). Using the new bug in the Windows, these viruses infect the computer unnoticeably. After the penetrating into the computer the virus harvests all the e-mail addresses and sends the copies of itself to these e-mail addresses Please install updates for worm elimination and your computer restoring. Best regards, Customers support service

The attachment is either an executable of the worm, or an archive containing it.


Its filename is one of the following:

  • body
  • data
  • doc
  • docs
  • document
  • file
  • message
  • readme
  • test
  • text
  • Update-KB-%variable%-x86

The variable %variable% represents a variable 4 digit number.


A double extension may be used. The first is one of the following:

  • .dat
  • .doc
  • .elm
  • .log
  • .msg
  • .txt

The second is one of the following:

  • .bat
  • .cmd
  • .exe
  • .pif
  • .scr

If an archive is attached, the name has the following extension:

  • .zip
Other information

The worm terminates processes with any of the following strings in the name:

  • nod32krn
  • avginet
  • avgupsvc
  • kavsvc
  • sndsrvc
  • wupdmgr
  • upgrader
  • drwebupw
  • spiderml
  • autodown
  • kav
  • aupdate
  • lucoms
  • luall
  • ndetect
  • alunotify
  • lsetup
  • luinit
  • mcupdate
  • tbmon
  • wuauclt
  • wuauclt1
  • NOD32krn
  • kavsvc
  • SNDSrvc
  • wuauserv
  • explorer

The worm tries to download a file from the Internet.


The file is then executed.

Please enable Javascript to ensure correct displaying of this content and refresh this page.