Win32/Stration [Threat Name] go to Threat

Win32/Stration.AA [Threat Variant Name]

Category worm
Size 136 KB
Aliases Email-Worm.Win32.Warezov.o (Kaspersky)
Short description

Win32/Stration.AA is a worm that spreads via e-mail.

Installation

When executed, the worm copies itself into the %windir% folder using the following name:

  • rsmbx.exe

The following files are dropped in the same folder:

  • rsmbx.dll
  • rsmbx.gfx
  • rsmbx.wax

The following files are dropped into the %system% folder:

  • cmut449c14b7.dll
  • hpzl449c14b7.exe
  • msji449c14b7.dll

In order to be executed on every system start, the worm sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "rsmbx" = "%windir%\­rsmbx.exe s"

The following Registry entry is set:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Windows]
    • "AppInit_DLLs" = "msji449c14b7.dll"

A Notepad window with random text is displayed.

Spreading via e-mail

E-mail addresses for further spreading are searched for in local files with one of the following extensions:

  • .adb
  • .asp
  • .cfg
  • .cgi
  • .dbx
  • .dhtm
  • .eml
  • .htm
  • .html
  • .jsp
  • .mbx
  • .mdx
  • .mht
  • .mmf
  • .msg
  • .nch
  • .ods
  • .oft
  • .php
  • .sht
  • .shtm
  • .stm
  • .tbb
  • .txt
  • .uin
  • .wab
  • .wsh
  • .xls
  • .xml

Addresses containing the following strings are avoided:

  • .edu
  • .gov
  • .mil
  • @avp
  • @foo
  • admin
  • anyone@
  • berkeley
  • bsd
  • bugs@
  • cafee
  • certific
  • contact
  • contract@
  • example
  • fido
  • gnu
  • gold-certs
  • google
  • help
  • help@
  • ibm.com
  • icrosoft
  • info@
  • kasp
  • kernel
  • linux
  • local
  • master
  • mozilla
  • mydomai
  • news
  • nobody
  • noone
  • noreply
  • panda
  • pgp
  • pch
  • privacy
  • rating
  • rfc-ed
  • ripe.
  • root@
  • samples
  • secure
  • sendmail
  • service
  • smbdy
  • smn
  • spam
  • support
  • unix
  • update
  • update
  • usnt
  • winrar
  • winzip
  • www
  • xx
  • yu
  • yur

Strings from the following (3) lists may be used to form the sender address:

  • adam
  • alice
  • anna
  • betty
  • bob
  • brenda
  • brent
  • brian
  • carol
  • claudia
  • craig
  • cyber
  • dan
  • dave
  • david
  • debby
  • den
  • Donn
  • frank
  • george
  • gerhard
  • helen
  • helen
  • james
  • jane
  • jayson
  • jerry
  • jim
  • joe
  • john
  • karen
  • linda
  • lisa
  • mancy
  • maria
  • ruth
  • sandra
  • sharon
  • Susan
  • adams
  • allen
  • anderson
  • baker
  • carter
  • clark
  • garcia
  • gonzalez
  • green
  • hall
  • harris
  • hernandez
  • hill
  • jackson
  • jeremy
  • joe
  • kenneth
  • king
  • lee
  • lewis
  • lopez
  • martin
  • martinez
  • miller
  • molly
  • moore
  • nelson
  • robinson
  • robyn
  • rodriguez
  • scott
  • shaan
  • taylor
  • thomas
  • thompson
  • walker
  • white
  • wilson
  • wright
  • young
  • gmail.com
  • inbox.com
  • fasmail.fm
  • yahoo.com
  • mail.aim.com
  • mail.lycos.com
  • care2.com
  • goowy.com
  • hotmail.com
  • email.myway.com

Random strings may be used instead.


Subject of the message is one of the following:

  • hello
  • picture
  • Server Report
  • Status
  • test
  • Good day
  • Error
  • Mail Delivery System
  • Mail Transaction Failed

Body of the message is one of the following:

  • Mail transaction failed. Partial message is available.
  • The message contains Unicode characters and has been sentas a binary attachment.
  • The message cannot be represented in 7-bit ASCII encodingand has been sent as a binary attachment

The attachment is an executable of the worm.


Its filename is one of the following:

  • body
  • data
  • doc
  • docs
  • document
  • file
  • message
  • readme
  • test
  • text

A double extension is used.


The first is one of the following:

  • dat
  • doc
  • elm
  • log
  • msg
  • txt

The second is one of the following:

  • bat
  • cmd
  • exe
  • pif
  • scr

Please enable Javascript to ensure correct displaying of this content and refresh this page.