|
       
 |
|
| Security News The Latest Computer Security News |
  |
|
New Virus : Win32/Stration Family
|
LinkBack | Thread Tools | Display Modes |
30-Nov-2006, 10:35 PM
|
#1 (permalink) |
|
Administrator
Posts: 876
Join Date: Oct 2005
Rep Power: 10
IM:
|
New Virus : Win32/Stration Family
Method of Infection When executed, some Stration variants copy their main executable to the %Windows% directory. Stration variants reported to CA from the wild have used the following filenames, for example: cserv32.exe cservv32.exe msserv.exe mswiizz32.exe rsmb.exe serrv.exe serv.exe sserrvv.exe svchost.exe t2serv.exe tsrv.exe These executables use the Notepad file icon:  The worm then adds an entry in the following registry key so that the main executable is executed at each Windows start: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run For example: HKLM\Software\Microsoft\Windows\CurrentVersion\Run \t2serv = "%Windows%\t2serv.exe s" A few variants copy their main executable to the %System% directory. For example, Win32/Stration.CO makes a copy in %System%\dpv1usrd.exe. Stration drops a number of its component files into the %System% directory, most of which are DLLs. Example, Stration.BZ drops the following files: sisbaclu.dll nwwksetr.dll rsmpwtsa.exe t2serv.dll e1.dll Some of the dropped DLLs may be installed by adding their filenames to the following registry entry: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs Any DLLs referenced in this registry entry are automatically loaded by virtually every program that executes. Stration usually installs two of the dropped DLLs by adding their names to the AppInit_DLLs registry value, for example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs = "apphavif.dll msobxpob.dll" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs = "sisbaclu.dll e1.dll" The worm may also create entries in the above registry key for DLLs dropped by previous Stration variants. Stration's DLLs and its main executable may also be installed through the following registry key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify For example, Win32/Stration.BA adds the following entries: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\acac\DllName = "%System%\acac.dll" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\acac\Image = "<original worm filename>" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\acac\Shutdown = "WlxShutdownEvent" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\acac\Startup = "WlxStartupEvent" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\acac\Impersonate = 0x0 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\acac\Asynchronou s = 0x0 The worm may also inject code that loads one of its dropped DLLs into specific running processes. Examples of process names the worm searches for and injects code into include: autodown spiderml wuauclt kavtbmon kavsvc avginet explorer upgrader mcupdate tbmon Some variants of Stration set their original executable to be removed on reboot using the registry value: HKLM\System\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations Some Stration variants also display a message box upon execution. The following message box with title "Information" and message "Update successfully installed" is usually displayed:  Later Stration variants may display a message box titled "Error" with the message "Unknown error":  Some variants drop a harmless text file in the directory they were executed from and display the file using Notepad. For example, Win32/Stration.V drops a .tmp file and displays it as shown below:  Note: '%System%' and '%Windows%' are variable locations. The malware determines the location of these folders by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows\System; and for XP is C:\Windows\System32.The default installation location for the Windows directory for Windows 2000 and NT is C:\Winnt; for 95,98 and ME is C:\Windows; and for XP is C:\Windows. Return to top Method of Distribution Via E-mail Win32/Stration sends e-mail to e-mail addresses harvested from the affected machine. It sends itself attached to these e-mail, which have varying Subjects, Message Bodies and Attachment names. Later variants attach a different variant of the worm to the e-mail they send. It uses fake 'From' addresses taken from a list inside its own code. The From address can appear as a single name chosen from a list with names such as: Donna adam alice anna bob brent brian craig dan dave david debby den frank george gerhard james jayson jerry jim joe john karen mancy sharon cyber or a name from the list above can also be combined with one of the following surnames: adams gonzalez green harris hernandez hill jackson joe kenneth lee martin martinex molly rodriguez scott shaan taylor white wilson wright young For e-mail sent with the subject "Mail server report.", the worm usually uses a first name chosen from the following list: serv sec secur and a domain name chosen from the following: areainc.com logoluso.com heatwave.com megoman.com scholzes.com guierfence.com phazen.net fcradio.net gametemple.com midmich.net elamex.net sycamorepd.com selectplan.com motorsportwarehouse.com firstclassmoving.com iinet.net.au telcan.com niet.com vieng.com For example: serv@selectplan.com sec@elamex.com, sharon lee john Stration harvests e-mail addresses to send itself to from the Windows Address Book (WAB) and from files on the local drive that have the following extensions: adb asp cfg cgi dbx dhtm eml htm html jsp mbx mdx mht mmf mmt msg txt wab xml Harvested e-mail addresses are usually stored in a file in the %Windows% directory. For example, Stration.BZ uses the file name "t2serv.wax". The worm may also send e-mail to specific e-mail addresses listed in its code. E-mail sent out by the worm can have any of the following Subjects: Error Good day hello Livan War real pictures. Mail Delivery System Mail server report. Mail Transaction Failed picture Server Report Status test This is not shown on TV. This must be seen by everyone. Posible Messages include: The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment ------------------------------ Mail transaction failed. Partial message is available. ------------------------------ The message contains Unicode characters and has been sent as a binary attachment. ------------------------------ Mail server report. Our firewall determined the e-mails containing worm copies are being sent from your computer. Nowadays it happens from many computers, because this is a new virus type (Network Worms). Using the new bug in the Windows, these viruses infect the computer unnoticeably. After the penetrating into the computer the virus harvests all the e-mail addresses and sends the copies of itself to these e-mail addresses Please install updates for worm elimination and your computer restoring. Best regards, Customers support service ------------------------------ Livan War real pictures. ------------------------------ This is not shown on TV. ------------------------------ This must be seen by everyone. ------------------------------ The worm attaches itself to the e-mail message using a file name chosen randomly from the following list: body data docs document file message picture<random number> readme test text The file usually has two extensions, the first being chosen from the following list: log doc msg dat txt elm jpg gif bmp The second extension is chosen from the following list and may be separated from the first extension by a number of spaces: pif bat cmd scr exe The worm may also attach itself to the e-mail inside a ZIP archive with a file name chosen from the first list mentioned above. Example attachment names: document.zip test.msg.exe message.log .scr file.doc .pif body.zip For e-mail sent by the worm that have the subject "Mail server report.", the worm usually attaches itself using a file name with the following format: Update-KB<random>-x86.exe where <random> is a randomly generated four digit number. This file can also be inside a zip archive with the same file name. For example: Update-KB8935-x86.exe Update-KB1673-x86.zip Please see below for examples of e-mail sent by the worm:     Via ICQ Messenger Some Win32/Stration variants are capable of spreading through the ICQ Instant Messenger network. The worm sends a message along with a link to ICQ contacts discovered on the machine. The following is an example message sent by Win32/Stration.RI: Look, a new office killer game. Go download and join the rest of us! My nick there is Miril! http://quijindeshkinmas.com/********/msdfg.zip At the time of publishing, this file was unavailable. Stration may also replace the ICQ and ICQ Lite executables with another Stration variant. The worm locates these files by querying the following registry keys: HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\ICQ.exe HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\ICQLite.exe It then copies these executables to another location, usually in the %Windows% directory, and replaces them with another Win32/Stration variant. For example, Win32/Stration.RI copies the files "Icq.exe" and "ICQLite.exe" to the file locations %Windows%\md2icut9a2.dll and %Windows%\ec2md8g.log. The worm terminates "Icq.exe" and "ICQLite.exe" if they are running. It then replaces these files with a file CA Antivirus solutions detect as Win32/Stration.PO. Return to top Payload Downloads and Executes Arbitrary Files Win32/Stration variants generally attempt to download one or two files via HTTP, and execute them. Download domains usually differ among variants. Below lists some domains Stration variants reported to CA have commonly downloaded files from: endfunjdaswuinjdeshihus.com ertinmdesachlion.com fandesjinkderunha.com gadesunheranwui.com genfushijinkertiondase.com hertionkadesinpoion.com huiderinjdasunlixsde.com rasetikuinyunhderunsa.com rxff.net traferreg.com vadesunjionderunhdae.com vaserjungenfujinas.com vedasetionkderun.com vertionkdaseliplim.com yuhadefunjinsa.com At the time of publishing, files downloaded from these domains have been other Stration variants. Stration may also make a POST request to the same domain in order to send a notification regarding the affected machine. The posted data is encrypted and contains information such as:
The Hosts file contains the mappings of IP addresses to host names. Windows checks the Hosts file before it queries any DNS servers, which enables it to override addresses in the DNS. On XP, 2000 and NT systems the hosts file is located at %System%\drivers\etc\hosts: on 9x systems the hosts file is located at %Windows%\hosts. Some Stration variants modify the Hosts file to redirect certain domains to localhost, hence effectively stopping affected users from visiting these domains. For example, Win32/Stration.AI redirects the following sites: download.microsoft.com go.microsoft.com msdn.microsoft.com office.microsoft.com windowsupdate.microsoft.com http://www.microsoft.com/downloads/S...displaylang=en avp.ru www.avp.ru http://avp.ru http://www.avp.ru kaspersky.ru www.kaspersky.ru http://kaspersky.ru kaspersky.com www.kaspersky.com http://kaspersky.com kaspersky-labs.com www.kaspersky-labs.com http://kaspersky-labs.com avp.ru/download/ www.avp.ru/download/ http://www.avp.ru/download/ http://www.kaspersky.ru/updates/ http://www.kaspersky-labs.com/updates/ http://kaspersky.ru/updates/ http://kaspersky-labs.com/updates/ downloads1.kaspersky-labs.com downloads2.kaspersky-labs.com downloads3.kaspersky-labs.com downloads4.kaspersky-labs.com downloads5.kaspersky-labs.com http://downloads1.kaspersky-labs.com http://downloads2.kaspersky-labs.com http://downloads3.kaspersky-labs.com http://downloads4.kaspersky-labs.com http://downloads5.kaspersky-labs.com downloads1.kaspersky-labs.com/products/ downloads2.kaspersky-labs.com/products/ downloads3.kaspersky-labs.com/products/ downloads4.kaspersky-labs.com/products/ downloads5.kaspersky-labs.com/products/ http://downloads1.kaspersky-labs.com/products/ http://downloads2.kaspersky-labs.com/products/ http://downloads3.kaspersky-labs.com/products/ http://downloads4.kaspersky-labs.com/products/ http://downloads5.kaspersky-labs.com/products/ downloads1.kaspersky-labs.com/updates/ downloads2.kaspersky-labs.com/updates/ downloads3.kaspersky-labs.com/updates/ downloads4.kaspersky-labs.com/updates/ downloads5.kaspersky-labs.com/updates/ http://downloads1.kaspersky-labs.com/updates/ http://downloads2.kaspersky-labs.com/updates/ http://downloads3.kaspersky-labs.com/updates/ http://downloads4.kaspersky-labs.com/updates/ http://downloads5.kaspersky-labs.com/updates/ ftp://downloads1.kaspersky-labs.com ftp://downloads2.kaspersky-labs.com ftp://downloads3.kaspersky-labs.com ftp://downloads4.kaspersky-labs.com ftp://downloads5.kaspersky-labs.com ftp://downloads1.kaspersky-labs.com/products/ ftp://downloads2.kaspersky-labs.com/products/ ftp://downloads3.kaspersky-labs.com/products/ ftp://downloads4.kaspersky-labs.com/products/ ftp://downloads5.kaspersky-labs.com/products/ ftp://downloads1.kaspersky-labs.com/updates/ ftp://downloads2.kaspersky-labs.com/updates/ ftp://downloads3.kaspersky-labs.com/updates/ ftp://downloads4.kaspersky-labs.com/updates/ ftp://downloads5.kaspersky-labs.com/updates/ http://updates.kaspersky-labs.com/updates/ http://updates1.kaspersky-labs.com/updates/ http://updates2.kaspersky-labs.com/updates/ http://updates3.kaspersky-labs.com/updates/ http://updates4.kaspersky-labs.com/updates/ ftp://updates.kaspersky-labs.com/updates/ ftp://updates1.kaspersky-labs.com/updates/ ftp://updates2.kaspersky-labs.com/updates/ ftp://updates3.kaspersky-labs.com/updates/ ftp://updates4.kaspersky-labs.com/updates/ viruslist.com www.viruslist.com http://viruslist.com viruslist.ru www.viruslist.ru http://viruslist.ru ftp://ftp.kasperskylab.ru/updates/ symantec.com www.symantec.com http://symantec.com customer.symantec.com http://customer.symantec.com liveupdate.symantec.com http://liveupdate.symantec.com liveupdate.symantecliveupdate.com http://liveupdate.symantecliveupdate.com securityresponse.symantec.com http://securityresponse.symantec.com service1.symantec.com http://service1.symantec.com symantec.com/updates http://symantec.com/updates updates.symantec.com http://updates.symantec.com eset.com/ www.eset.com/ http://www.eset.com/ eset.com/products/index.php www.eset.com/products/index.php http://www.eset.com/products/index.php eset.com/download/index.php www.eset.com/download/index.php http://www.eset.com/download/index.php eset.com/joomla/ www.eset.com/joomla/ http://www.eset.com/joomla/ u3.eset.com/ http://u3.eset.com/ u4.eset.com/ http://u4.eset.com/ www.symantec.com/updates Stops and Deletes Services Win32/Stration may stop and delete a number of security related services if they are running on the affected system. Stration may target the following services: nod32krn avginet avgupsvc kavsvc sndsrvc updmgr upgrader drwebupw spiderml kav aupdate lucoms luall ndetect alunotify lsetup luinit mcupdate tbmon wuauclt wuauclt1 wuauserv Many of the components which are dropped by Stration are used to monitor whether certain antivirus and/or firewall applications are running on the system. The worm checks for registry entries, services and processes which are related to these applications and uses this information to signal other components and variants that they are running. The worm monitors applications such as: ZoneAlarm Sygate Personal Firewall Symantec Internet Security Agnitum Outpost Firewall McAfee Personal Firewall Kerio WinRoute Firewall Sends Spam E-mail Win32/Stration variants are also capable of sending spam e-mail. These variants usually contact a particular domain and download a file that contains a list of URLs. This list of URLs includes:
Below are examples of spam e-mail sent by Stration:   Analysis by Hamish O'Dea and Amir Fouda |
|
        
|
|
|
|
| |
| Currently Active Users Viewing This Thread: 1 (0 members and 1 guests) | |
| Thread Tools | |
| Display Modes | |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| As Power Win32 Dll 2.1 | Cybershot | Application Downloads | 0 | 28-Feb-2008 01:01 AM |
| As Fan Win32 Dll 2.1 | Cybershot | Application Downloads | 0 | 28-Feb-2008 01:00 AM |
| Win32/Stration.ADY | Anilrgowda | Security News | 0 | 13-Jul-2007 04:36 AM |
| How to clean Win32/Sality Virus. Urgently need help!!! | Iphone | Knowledge Base | 1 | 29-Mar-2007 05:10 AM |
| not-virus:BadJoke.Win32.Delf.aa | Anilrgowda | Security News | 0 | 08-Dec-2006 03:34 AM |
Linear Mode
