Description:
On September 22, 2006, in the face of increasing infections and seemingly endless release of new variants into the wild, the Trend Micro Japan office declared a local alert to control the onslaught of WORM_STRATION, which was quickly gaining the notoriety for spawning iterations in rates not seen since 2005's MYTOB. In just a few weeks, WORM_STRATION was also found spreading like wild fire in the rest of the world, primarily in the US. Read an article documenting the STRATION event here: The STRATION Strategy. |
To get a one-glance comprehensive view of the behavior of this malware, refer to the Behavior Diagram shown below.
Malware Overview
This memory-resident worm propagates by attaching a copy of itself to an email message, which it sends to target recipients using its own Simple Mail Transfer Protocol (SMTP) engine. Since its email propagation does not require any user intervention, the user is often unaware that this worm is sending out email messages.
It gathers target email addresses from the user's Windows Address Book (WAB).
The email message it sends out has the following details:
Subject: (any of the following)
• Error
• Good day
• hello
• Mail Delivery System
• Mail Server Report
• Mail Transaction Failed
• picture
• Server Report
• Status
• test
Message body:
Mail server report.
Our firewall determined the e-mails containing worm copies are being sent from your computer.
Nowadays it happens from many computers, because this is a new virus type (Network Worms).
Using the new bug in the Windows, these viruses infect the computer unnoticeably.
After the penetrating into the computer the virus harvests all the e-mail addresses and sends the copies of itself to these e-mail addresses
Please install updates for worm elimination and your computer restoring.
Best regards,
Customers support service
Attachment: (any of the following)
• body
• data
• doc
• document
• file
• message
• readme
• test
• tex
• Update-KB{random numbers}-x86
(with any of the following as first extension)
• DOC
• ELM
• LOG
• MSG
• TXT
(with any of the following as second extension)
• BAT
• CMD
• EXE
• PIF
• SCR
Its method of using double extensions tricks a user into thinking that the file is non-malicious, since the user usually sees the first extension name before the second extension name, which actually indicates its real file type.
It also creates/modifies autostart registry entries to enable its automatic execution at every system startup.
Moreover, this worm modifies the affected system's HOSTS file to prevent access to certain Web sites.
It attempts to download and execute files detected by Trend Micro as WORM_STRATION.AE and WORM_STRATION.BV. The said action increases the risk of acquiring more malware threats on the affected system.
For additional information about this threat, see:
Solution
Technical Details
Description created: Sep. 11, 2006 1:13:51 AM GMT -0800
Search a new malware
Tell us how we did. Take our quick survey.
|
Save & Share
