Win32/Stration [Threat Name] go to Threat

Win32/Stration.ACL [Threat Variant Name]

Category trojan,worm
Size 122369 B
Aliases Email-Worm.Win32.Warezov.ali (Kaspersky)
  Trojan.Proxy.2413 (Dr.Web)
  Worm:Win32/Stration.DU@mm (Microsoft)
  Backdoor.Trojan (Symantec)
Short description

The trojan serves as a proxy server. The trojan is usually a part of other malware.


The trojan does not create any copies of itself.

The trojan creates the following files:

  • %windir%\­system32\­diagisr.dll
  • %windir%\­system32\­isrprf32.dll
  • %windir%\­system32\­isrprov.exe

The trojan may create the following files:

  • %windir%\­system32\­sysnt.dat
  • %temp%\­temp_%number%.bat

The %number% represents a random number.

In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "himem.exe" = "%malwarefilepath% -s"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "SoundMnEx32" = "%malwarefilepath%"

The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­SharedAccess\­Parameters\­FirewallPolicy\­StandardProfile\­AuthorizedApplications\­List]
    • "%malwarefilepath%" = "%malwarefilepath%:*:Enabled:SystemVersion"

The performed data entry creates an exception in the Windows Firewall program.

The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Windows]
    • "AppInit_DLLs" = "%originalvalue% diagisr.dll"

This way the trojan ensures that the libraries with the following names will be injected into all running processes:

  • diagisr.dll
Other information

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a URL address. The HTTP, TCP, UDP protocol is used in the communication.

The trojan opens TCP port 80 .

A HTTP proxy is listening there.

The trojan opens some UPD ports:

  • 53
  • 42771

The trojan executes the following files:

  • %windir%\­system32\­pvjirreg.exe

Please enable Javascript to ensure correct displaying of this content and refresh this page.