TrendLabs Malware Blog
Glossary
TrendWatch
TrendLabs Twitter
WORM_STRAT.DR
Also known as: CME-416
Overview
Solution

Malware type: Worm

Aliases: W32.Stration.DL@mm(Symantec), Troj/StraDl-A(Sophos), Email-Worm.Win32.Warezov.fh(Kaspersky), Worm/Stration.AF(Avira), W32/Stration@MM(McAfee)

In the wild: Yes

Destructive: No

Language: English

Platform: Windows NT, 2000, XP, Server 2003

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

 High

Distribution potential:

 High

Description: 

On September 22, 2006, in the face of increasing infections and seemingly endless release of new variants into the wild, the Trend Micro Japan office declared a local alert to control the onslaught of WORM_STRATION, which was quickly gaining the notoriety for spawning iterations in rates not seen since 2005's MYTOB. In just a few weeks, WORM_STRATION was also found spreading like wild fire in the rest of the world, primarily in the US. Read an article documenting the STRATION event here: The STRATION Strategy.

To get a one-glance comprehensive view of the behavior of this malware, refer to the Behavior Diagram shown below.

WORM_STRAT.DR Behavior Diagram

Malware Overview

This worm propagates by sending a copy of itself as an attachment to email messages, which it sends to target recipients using its own Simple Mail Transfer Protocol (SMTP) engine. The said SMTP engine improves the propagation method of this worm since it is able to easily send email messages even without using other mailing applications, such as Microsoft Outlook.

The email it sends out has the following details:

Subject: (any of the following)
• Error
• Good day
• hello
• Mail Delivery System
• Mail server report
• Mail Transaction Failed
• picture
• Server Report
• Status
• test

Message body:
Mail server report.

Our firewall determined the e-mails containing worm copies are being sent from your computer.

Nowadays it happens from many computers, because this is a new virus type (Network Worms).

Using the new bug in the Windows, these viruses infect the computer unnoticeably.

After the penetrating into the computer the virus harvests all the e-mail addresses and sends the copies of itself to these e-mail addresses

Please install updates for worm elimination and your computer restoring.

Best regards,
Customers support service

Attachment: (any of the following file names)
• body
• data
• doc
• docs
• document
• file
• message
• readme
• test
• text
• Update-KB{random numbers}-x86

(with any of the following as first extension name)
• DAT
• ELM
• LOG
• MSG
• TXT

(with any of the following as second extension)
• BAT
• CMD
• PIF
• SCR
• EXE

Except for the file name Update-KB{random numbers}-x86, which always uses the .EXE extension, this worm uses double extension names in the attached file (example: BODY.DOC.BAT, DATA.ELM.EXE). The said method of naming tricks the user into thinking that the file is non-malicious because, usually, the first extension name is noticed first and the second one is missed.

This worm may arrive as an email attachment or as downloaded file of TROJ_STRAT.DR.

Upon execution, it drops files in specified locations, including a file also detected by Trend Micro as WORM_STRAT.DR.

This worm also connects to several URLs to download possibly malicious files.

For additional information about this threat, see:
Solution
Technical Details

Description created: Oct. 19, 2006 12:16:15 AM GMT -0800
Description updated: Oct. 25, 2006 2:06:47 PM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.