TrendLabs Malware Blog
Glossary
TrendWatch
TrendLabs Twitter
WORM_STRAT.GEN-3
Overview
Solution
Technical Details

File type: PE

Memory resident:  Yes

Size of malware: 303,104 Bytes

Initial samples received on: Jan 3, 2008

Related toWORM_GENERIC

Payload 1: Downloads files

Payload 2: Drops files

Details:

Arrival, Installation, and Autostart Technique

This worm arrives as attachment to email messages spammed by another malware or a malicious user. It may be dropped by other malware. It may be downloaded unknowingly by a user when visiting malicious Web sites.

Upon execution, it drops the following file(s)/component(s):

  • %System Root%\ver_873_bvm.log - non malicious file
  • %System Root%\ver_873_controller.log - non malicious file
  • %System Root%\ver_873_s.log - non malicious file
  • %System%\digedpws.dll - detected as WORM_GENERIC
  • %System%\digedpws.exe - also detected as WORM_STRAT.GEN-3
  • %System%\iernpgps.dll - also detected as WORM_STRAT.GEN-3
  • %System%\mmcshplu.dll - also detected as WORM_STRAT.GEN-3
  • %System%\uxthvpcn.exe - also detected as WORM_STRAT.GEN-3
  • %User profile%\dbg.log - non malicious file

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located. %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003. %User Profile% is the current user's profile folder, which is usually C:\Windows\Profiles\{user name} on Windows 98 and ME, C:\WINNT\Profiles\{user name} on Windows NT, and C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003.)

It injects threads into various processes running in memory.

Other System Modifications

This worm creates the following registry key and entries as part of its installation routine:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Winlogon\Notify\digedpws
Asynchronous = "0"
DllName = "%System%\digedpws.dll"
Impersonate = "0"
Startup = "WlxStartupEvent"

It modifies the following registry entry as part of its installation routine:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Windows
AppInit_DLLs = "iernpgps.dll"

(Note: The default value data for the said registry entry is blank.)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Dhcp\Parameters
{D764F75A-9C69-4632-99E1-BED17ECA7670} = "hex:
fc,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,72,1a,a4,40,
06,00,00,00,00,00,00,00,08,00,00,00,00,00,00,00,25,25,a5,40,
cb,ac,0b,19,ca,49,a0,27,03,00,00,00,00,00,00,00,04,00,00,00,
00,00,00,00,25,25,a5,40,ac,10,00,fe,0f,00,00,00,00,00,00,00,
0e,00,00,00,00,00,00,00,25,25,a5,40,41,56,44,53,4c,5f,48,41,
5f,56,49,52,55,53,00,00,01,00,00,00,00,00,00,00,04,00,00,00,
00,00,00,00,25,25,a5,40,ff,ff,00,00,33,00,00,00,00,00,00,00,
04,00,00,00,00,00,00,00,25,25,a5,40,00,01,51,80,36,00,00,00,
00,00,00,00,04,0"

(Note: The default value data for the said registry entry is hex:
fc,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,a8,d3,a3,40,
06,00,00,00,00,00,00,00,08,00,00,00,00,00,00,00,25,25,a5,40,
cb,ac,0b,19,ca,49,a0,27,03,00,00,00,00,00,00,00,04,00,00,00,
00,00,00,00,25,25,a5,40,ac,10,00,fe,0f,00,00,00,00,00,00,00,
0e,00,00,00,00,00,00,00,25,25,a5,40,41,56,44,53,4c,5f,48,41,
5f,56,49,52,55,53,00,00,01,00,00,00,00,00,00,00,04,00,00,00,
00,00,00,00,25,25,a5,40,ff,ff,00,00,33,00,00,00,00,00,00,00,
04,00,00,00,00,00,00,00,25,25,a5,40,00,01,51,80,36,00,00,00,
00,00,00,00,04,0.)

Propagation via Email

A WORM_STRATION variant usually propagates by attaching copies of itself to email messages that it sends to target addresses, using its own Simple Mail Transfer Protocol (SMTP) engine. It gathers target email addresses from the Windows Address Book (WAB).

It is capable of sending email messages without using mailing applications, such as Microsoft Outlook. Thus, its email propagation routine becomes nearly invisible from an affected user.

The said email message contains the following details:

Subject:
Message body: (any of the following)
Mail server report.
Our firewall determined the e-mails containing worm copies are being sent from your computer.
Nowadays it happens from many computers, because this is a new virus type (Network Worms).
Using the new bug in the Windows, these viruses infect the computer unnoticeably.
After the penetrating into the computer the virus harvests all the e-mail addresses and sends the copies of itself to these e-mail addresses
Please install updates for worm elimination and your computer restoring.

Best regards,
Customers support service

Attachment: (any of the following file names)
• body
• data
• doc
• docs
• document
• file
• message
• readme
• test
• text

(with any of the following as first extension name) • .log
• .elm
• .msg
• .txt
• .dat

(with any of the following as second extension) • .bat
• .cmd
• .scr
• .exe
• .pif

The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.

Note that it uses double extension names in the attached file. The said method of naming tricks the user into thinking that the file is non-malicious because, usually, the first extension name is noticed first and the second one is hidden. In actuality, the second extension name is true file type of the attachment.

Download Routine

This worm connects to the following Web site to download possibly malicious files:

  • http://{BLOCKED}ase.com/

Affected Platforms

This worm runs on Windows 98, ME, NT, 2000, XP, and Server 2003.

Analysis By: Jasen Sumalapao


For additional information about this threat, see:
Overview
Solution

Search a new malware

Tell us how we did. Take our quick survey.