Description:
On September 22, 2006, in the face of increasing infections and seemingly endless release of new variants into the wild, the Trend Micro Japan office declared a local alert to control the onslaught of WORM_STRATION, which was quickly gaining the notoriety for spawning iterations in rates not seen since 2005's MYTOB. In just a few weeks, WORM_STRATION was also found spreading like wild fire in the rest of the world, primarily in the US. Read an article documenting the STRATION event here: The STRATION Strategy. |
To get a one-glance comprehensive view of the behavior of this malware, refer to the Behavior Diagram shown below.
Malware Overview
This worm attains its full propagation potential by employing another malware, specifically TROJ_STRAT.GG. This malware tandem is responsible for a vicious worm-Trojan propagation cycle, wherein the worm mass-mails copies of the Trojan. The Trojan, in turn, downloads copies of the worm from a specific Web site.
This method has proven effective, having been employed by several BAGLE variants in the recent years.
This worm gathers target recipients from files with specific file name extensions. The email message it sends out contains the following details:
Subject: (any of the following)
• Error
• Good day
• hello
• Mail Delivery System
• Mail server report
• Mail Transaction Failed
• picture
• Server Report
• Status
• test
Message body: (any of the following)
• Mail transaction failed. Partial message is available.
• The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment
• The message contains Unicode characters and has been sent as a binary attachment.
• Mail server report.
Our firewall determined the e-mails containing worm copies are being sent from your computer.
Nowadays it happens from many computers, because this is a new virus type (Network Worms).
Using the new bug in the Windows, these viruses infect the computer unnoticeably.
After the penetrating into the computer the virus harvests all the e-mail addresses and sends the copies of itself to these e-mail addresses
Please install updates for worm elimination and your computer restoring.
Best regards,
Customers support service
Attachment: (any of the following)
• body
• data
• doc
• docs
• document
• file
• message
• readme
• test
• text
• Update-KB{random numbers}-x86
(with any of the following as first extension)
• DAT
• ELM
• LOG
• MSG
• TXT
(with any of the following as second extension)
• BAT
• CMD
• EXE
• PIF
• SCR
Except for the file name, Update-KB{Random numbers}-x86, which always uses the EXE extension, this worm uses double extension names for its attached files. The said method tricks users into thinking that the file is non-malicious, since the user usually sees the first extension name before the second extension name.
This worm also waits for active Internet connection and attempts to access several URLs to download and execute possibly malicious files on the affected system.
As of this writing, however, the URLs it attempts to access are unavailable.
For additional information about this threat, see:
Solution
Technical Details
Description created: Nov. 20, 2006 2:26:43 AM GMT -0800
Search a new malware
Tell us how we did. Take our quick survey.
|
Save & Share
