Method of Infection
When executed, some Stration variants copy their main executable to the %Windows% directory. Stration variants reported to CA from the wild have used the following filenames, for example:
cserv32.exe
cservv32.exe
msserv.exe
mswiizz32.exe
rsmb.exe
serrv.exe
serv.exe
shost.exe
sserrvv.exe
svchost.exe
t2serv.exe
tpup.exe
tsrv.exe
These executables use the Notepad file icon:
The worm then adds an entry in the following registry key so that the main executable is executed at each Windows start:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
For example:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\t2serv = "%Windows%\t2serv.exe s"
A few variants copy their main executable to the %System% directory. For example, Win32/Stration.CO makes a copy in %System%\dpv1usrd.exe.
Stration drops a number of its component files into the %System% directory, most of which are DLLs. Example, Stration.BZ drops the following files:
sisbaclu.dll
nwwksetr.dll
rsmpwtsa.exe
t2serv.dll
e1.dll
Some of the dropped DLLs may be installed by adding their filenames to the following registry entry:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs
Any DLLs referenced in this registry entry are automatically loaded by virtually every program that executes.
Stration usually installs two of the dropped DLLs by adding their names to the AppInit_DLLs registry value, for example:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs = "apphavif.dll msobxpob.dll"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs = "sisbaclu.dll e1.dll"
The worm may also create entries in the above registry key for DLLs dropped by previous Stration variants.
Stration's DLLs and its main executable may also be installed through the following registry key:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
For example, Win32/Stration.BA adds the following entries:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\acac\DllName = "%System%\acac.dll"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\acac\Image = "<original worm filename>"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\acac\Shutdown = "WlxShutdownEvent"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\acac\Startup = "WlxStartupEvent"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\acac\Impersonate = 0x0
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\acac\Asynchronous = 0x0
The worm may also inject code that loads one of its dropped DLLs into specific running processes. Examples of process names the worm searches for and injects code into include:
autodown
spiderml
wuauclt
kavtbmon
kavsvc
avginet
explorer
upgrader
mcupdate
tbmon
Some variants of Stration set their original executable to be removed on reboot using the registry value:
HKLM\System\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations
Some Stration variants also display a message box upon execution. The following message box with title "Information" and message "Update successfully installed" is usually displayed:
Later Stration variants may display a message box titled "Error" with the message "Unknown error":
Some variants drop a harmless text file in the directory they were executed from and display the file using Notepad. For example, Win32/Stration.V drops a .tmp file and displays it as shown below:
Note: '%System%' and '%Windows%' are variable locations. The malware determines the location of these folders by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows\System; and for XP is C:\Windows\System32.The default installation location for the Windows directory for Windows 2000 and NT is C:\Winnt; for 95,98 and ME is C:\Windows; and for XP is C:\Windows.
Back to top
Method of Distribution
Via E-mail
Win32/Stration sends e-mail to e-mail addresses harvested from the affected machine. It sends itself attached to these e-mail, which have varying Subjects, Message Bodies and Attachment names. Later variants attach a different variant of the worm to the e-mail they send.
It uses fake 'From' addresses taken from a list inside its own code. The From address can appear as a single name chosen from a list with names such as:
Donna
adam
alice
anna
bob
brent
brian
craig
dan
dave
david
debby
den
frank
george
gerhard
james
jayson
jerry
jim
joe
john
karen
mancy
sharon
cyber
or a name from the list above can also be combined with one of the following surnames:
adams
gonzalez
green
harris
hernandez
hill
jackson
joe
kenneth
lee
martin
martinex
molly
rodriguez
scott
shaan
taylor
white
wilson
wright
young
For e-mail sent with the subject "Mail server report.", the worm usually uses a first name chosen from the following list:
serv
sec
secur
and a domain name chosen from the following:
areainc.com
logoluso.com
heatwave.com
megoman.com
scholzes.com
guierfence.com
phazen.net
fcradio.net
gametemple.com
midmich.net
elamex.net
sycamorepd.com
selectplan.com
motorsportwarehouse.com
firstclassmoving.com
iinet.net.au
telcan.com
niet.com
vieng.com
For example:
serv@selectplan.com
sec@elamex.com,
sharon lee
john
Stration harvests e-mail addresses to send itself to from the Windows Address Book (WAB) and from files on the local drive that have the following extensions:
adb
asp
cfg
cgi
dbx
dhtm
eml
htm
html
jsp
mbx
mdx
mht
mmf
mmt
msg
txt
wab
xml
Harvested e-mail addresses are usually stored in a file in the %Windows% directory. For example, Stration.BZ uses the file name "t2serv.wax".
The worm may also send e-mail to specific e-mail addresses listed in its code.
E-mail sent out by the worm can have any of the following Subjects:
Error
Good day
hello
Livan War real pictures.
Mail Delivery System
Mail server report.
Mail Transaction Failed
picture
setup
Server Report
Status
test
This is not shown on TV.
This must be seen by everyone.
Posible Messages include:
The message cannot be represented in 7-bit ASCII encoding
and has been sent as a binary attachment
------------------------------
Mail transaction failed. Partial message is available.
------------------------------
The message contains Unicode characters and has been sent
as a binary attachment.
------------------------------
Mail server report.
Our firewall determined the e-mails containing worm copies are being sent from your computer.
Nowadays it happens from many computers, because this is a new virus type (Network Worms).
Using the new bug in the Windows, these viruses infect the computer unnoticeably.
After the penetrating into the computer the virus harvests all the e-mail addresses and sends the copies of itself to these e-mail
addresses
Please install updates for worm elimination and your computer restoring.
Best regards,
Customers support service
------------------------------
Livan War real pictures.
------------------------------
This is not shown on TV.
------------------------------
This must be seen by everyone.
------------------------------
Call from your computer to any country of the world within 3 months FOR FREE.
There are no analogues, the product is unique! The amount of beta versions is limited.
This is better and considerably cheaper than Skype.
TRY IT NOW!
------------------------------
The worm attaches itself to the e-mail message using a file name chosen randomly from the following list:
body
data
docs
document
file
message
picture<random number>
readme
setup
test
text
The file usually has two extensions, the first being chosen from the following list:
log
doc
msg
dat
txt
elm
jpg
gif
bmp
The second extension is chosen from the following list and may be separated from the first extension by a number of spaces:
pif
bat
cmd
scr
exe
The worm may also attach itself to the e-mail inside a ZIP archive with a file name chosen from the first list mentioned above.
Example attachment names:
document.zip
test.msg.exe
message.log .scr
file.doc .pif
body.zip
setup.zip
For e-mail sent by the worm that have the subject "Mail server report.", the worm usually attaches itself using a file name with the following format:
Update-KB<random>-x86.exe
where <random> is a randomly generated four digit number.
This file can also be inside a zip archive with the same file name. For example:
Update-KB8935-x86.exe
Update-KB1673-x86.zip
Please see below for examples of e-mail sent by the worm:
Additionally, some Stration variants send out e-mail that pose as a New Year's postcard. The e-mail have the following characteristics:
Subject:
postcard
Message Body:
Hi, you've just received a postcard.
For:
<recipient's e-mail address>
From:
---
Text:
Happy New Year!
Postcard:
Click on attachment to view a postcard.
----
Pre-holidays Postcards.
http://postcards.wired2000.net/
Attachment:
postcard.zip
This zip file contains a file named "postcard.exe" and is detected as Win32/Stration.XH worm.
Please see below for an example of the e-mail:
Via ICQ Messenger
Some Win32/Stration variants are capable of spreading through the ICQ Instant Messenger network. The worm sends a message along with a link to ICQ contacts discovered on the machine. The following is an example message sent by Win32/Stration.RI:
Look, a new office killer game. Go download and join the rest of us!
My nick there is Miril!
http://quijindeshkinmas.com/********/msdfg.zip
At the time of publishing, this file was unavailable.
Stration may also replace the ICQ and ICQ Lite executables with another Stration variant. The worm locates these files by querying the following registry keys:
HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\ICQ.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\ICQLite.exe
It then copies these executables to another location, usually in the %Windows% directory, and replaces them with another Win32/Stration variant.
For example, Win32/Stration.RI copies the files "Icq.exe" and "ICQLite.exe" to the file locations %Windows%\md2icut9a2.dll and %Windows%\ec2md8g.log. The worm terminates "Icq.exe" and "ICQLite.exe" if they are running. It then replaces these files with a file CA Antivirus solutions detect as Win32/Stration.PO.
Via Skype
Some Win32/Stration variants are capable of spreading through the Skype network. The worm checks for the existence of the registry key
"HKCU\Software\Skype\Phone"
to determine if a Skype client is installed. The worm employs the use of the Skype API to send a simple message along with a link to Skype friends. The following is an example message sent by Win32/Stration.AAT:
Check this out
Give me your opinon
http://18467.vionfadetertion.com/***/**94
Have you seen this girl! Take look
http://cards31322.vionfadetertion.com/***/****.xml?id=334
*Note: These URLs have been modified.
Below is a list of domains known to host Stration variants:
adesunjhunkindastion.com
adsuchinmdeska.com
aionkertunhertinherdas.com
badefunhetiondeslu.com
badesiinmdesina.com
badesinkionladesunmasde.com
bertiondaskinlin.com
bitionkderinkadesunmes.com
bohunriondesa.com
bolinshfanwuis.com
buhiokasdeintionsa.com
bunhetunhasdesasax.com
chidesinkunmasdexun.com
defunjinkderiolin.com
desunjerionkdase.com
edfuntionkerunpilondas.com
fenshitiondefunjin.com
funtionjertionkinmdfus.com
gandesunjinkas.com
gedsunkasinmash.com
genfinkiontunherin.com
genfinshitindkeion.com
gentionjdetunkiondasem.com
gerinjdefinkdase.com
guiteryunjedsin.com
hertionshikins.com
hertunjasdunhacin.com
jerionkdesunhertadesi.com
kerunjdesationde.com
kijunhertunhastin.com
linkunhertiondefunhades.com
liondetunhedunsinjas.com
masdefuinjertiondesa.com
mdesjintiongenfunjas.com
mikshutionunhadas.com
misutiondefundhesa.com
netionkdefunjdasetionde.com
nimikionldefunhdesunjas.com
oerionkdesunkasde.com
puitunjerunhdesacun.com
rtinherionkdetunherqein.com
sdefunhertionkas.com
sedijertionkdefunhas.com
sendhunjinkeriondefas.com
swiondetionshunde.com
tandesionpoweuis.com
tinkdefunplindasken.com
traindesunjerks.com
tunherunjinwaquinko.com
vadesinkionldetinjas.com
vasedunherwunjasa.com
vasedunkinmsax.com
vasunjinkaewion.com
vazxunjedesadebun.com
vetionkdefundaseinpos.com
vionfadetertion.com
viyukerinmasedion.com
vrihedasunmdecin.com
vuherankinmdesin.com
vuiherunhdsainkinl.com
vuijadetuinmase.com
vunherianjdewun.com
vunhertunquindol.com
wasedinshideunlionde.com
wasedinterfunva.com
wasedujinfadein.com
werhugandeski.com
wukedeterfunqion.com
xedatrinmderuns.com
xuherasedikesa.com
xuhudesinmase.com
xuyhadesunkadwi.com
zadasefunmerion.com
zaxeujinfdionks.com
zedaserunmdefun.com
zedefuherunmase.com
zedesunkasinmas.com
zhedungasetion.com
Back to top
Payload
Downloads and Executes Arbitrary Files
Win32/Stration variants generally attempt to download one or two files via HTTP, and execute them. Download domains usually differ among variants. Below lists some domains Stration variants reported to CA have commonly downloaded files from:
badesugerwakirpos.com
easedtionkdetunhasde.com
easeruikingandefunjs.com
endfunjdaswuinjdeshihus.com
ertikadeswiokinganfujas.com
ertinmdesachlion.com
fandesjinkderunha.com
gadesunheranwui.com
genfushijinkertiondase.com
hertionkadesinpoion.com
huiderinjdasunlixsde.com
jikunhetyadeshin.com
kazxspaskinjderunjsa.com
kuturoisus.com
madesunjinkdieonrunhasde.com
rasetikuinyunhderunsa.com
rebuitionkderunsa.com
rxff.net
saderuikuntunyesdea.com
seruijingandeshijinpos.com
traferreg.com
vadesunjionderunhdae.com
vaserjungenfujinas.com
vedasetionkderun.com
vertionkdaseliplim.com
vertunhandesikolasderun.com
yuhadefunjinsa.com
At the time of publishing, files downloaded from these domains have been other Stration variants.
Stration may also make a POST request to the same domain in order to send a notification regarding the affected machine. The posted data is encrypted and contains information such as:
- Version of worm that is running
- Operating system of the affected machine
- Status of Antivirus and Firewall programs running on the affected system
Modifies Hosts File
The Hosts file contains the mappings of IP addresses to host names. Windows checks the Hosts file before it queries any DNS servers, which enables it to override addresses in the DNS. On XP, 2000 and NT systems the hosts file is located at %System%\drivers\etc\hosts: on 9x systems the hosts file is located at %Windows%\hosts.
Some Stration variants modify the Hosts file to redirect certain domains to localhost, hence effectively stopping affected users from visiting these domains. For example, Win32/Stration.AI redirects the following sites:
download.microsoft.com
go.microsoft.com
msdn.microsoft.com
office.microsoft.com
windowsupdate.microsoft.com
http://www.microsoft.com/downloads/Search.aspx?displaylang=en
avp.ru
www.avp.ru
http://avp.ru
http://www.avp.ru
kaspersky.ru
www.kaspersky.ru
http://kaspersky.ru
kaspersky.com
www.kaspersky.com
http://kaspersky.com
kaspersky-labs.com
www.kaspersky-labs.com
http://kaspersky-labs.com
avp.ru/download/
www.avp.ru/download/
http://www.avp.ru/download/
http://www.kaspersky.ru/updates/
http://www.kaspersky-labs.com/updates/
http://kaspersky.ru/updates/
http://kaspersky-labs.com/updates/
downloads1.kaspersky-labs.com
downloads2.kaspersky-labs.com
downloads3.kaspersky-labs.com
downloads4.kaspersky-labs.com
downloads5.kaspersky-labs.com
http://downloads1.kaspersky-labs.com
http://downloads2.kaspersky-labs.com
http://downloads3.kaspersky-labs.com
http://downloads4.kaspersky-labs.com
http://downloads5.kaspersky-labs.com downloads1.kaspersky-labs.com/products/
downloads2.kaspersky-labs.com/products/
downloads3.kaspersky-labs.com/products/
downloads4.kaspersky-labs.com/products/
downloads5.kaspersky-labs.com/products/
http://downloads1.kaspersky-labs.com/products/
http://downloads2.kaspersky-labs.com/products/
http://downloads3.kaspersky-labs.com/products/
http://downloads4.kaspersky-labs.com/products/
http://downloads5.kaspersky-labs.com/products/
downloads1.kaspersky-labs.com/updates/
downloads2.kaspersky-labs.com/updates/
downloads3.kaspersky-labs.com/updates/
downloads4.kaspersky-labs.com/updates/
downloads5.kaspersky-labs.com/updates/
http://downloads1.kaspersky-labs.com/updates/
http://downloads2.kaspersky-labs.com/updates/
http://downloads3.kaspersky-labs.com/updates/
http://downloads4.kaspersky-labs.com/updates/
http://downloads5.kaspersky-labs.com/updates/
ftp://downloads1.kaspersky-labs.com
ftp://downloads2.kaspersky-labs.com
ftp://downloads3.kaspersky-labs.com
ftp://downloads4.kaspersky-labs.com
ftp://downloads5.kaspersky-labs.com
ftp://downloads1.kaspersky-labs.com/products/
ftp://downloads2.kaspersky-labs.com/products/
ftp://downloads3.kaspersky-labs.com/products/
ftp://downloads4.kaspersky-labs.com/products/
ftp://downloads5.kaspersky-labs.com/products/
ftp://downloads1.kaspersky-labs.com/updates/
ftp://downloads2.kaspersky-labs.com/updates/
ftp://downloads3.kaspersky-labs.com/updates/
ftp://downloads4.kaspersky-labs.com/updates/
ftp://downloads5.kaspersky-labs.com/updates/
http://updates.kaspersky-labs.com/updates/
http://updates1.kaspersky-labs.com/updates/
http://updates2.kaspersky-labs.com/updates/
http://updates3.kaspersky-labs.com/updates/
http://updates4.kaspersky-labs.com/updates/
ftp://updates.kaspersky-labs.com/updates/
ftp://updates1.kaspersky-labs.com/updates/
ftp://updates2.kaspersky-labs.com/updates/
ftp://updates3.kaspersky-labs.com/updates/
ftp://updates4.kaspersky-labs.com/updates/
viruslist.com
www.viruslist.com
http://viruslist.com
viruslist.ru
www.viruslist.ru
http://viruslist.ru
ftp://ftp.kasperskylab.ru/updates/
symantec.com
www.symantec.com
http://symantec.com
customer.symantec.com
http://customer.symantec.com
liveupdate.symantec.com
http://liveupdate.symantec.com
liveupdate.symantecliveupdate.com
http://liveupdate.symantecliveupdate.com
securityresponse.symantec.com
http://securityresponse.symantec.com
service1.symantec.com
http://service1.symantec.com
symantec.com/updates
http://symantec.com/updates
updates.symantec.com
http://updates.symantec.com
eset.com/
www.eset.com/
http://www.eset.com/
eset.com/products/index.php
www.eset.com/products/index.php
http://www.eset.com/products/index.php
eset.com/download/index.php
www.eset.com/download/index.php
http://www.eset.com/download/index.php
eset.com/joomla/
www.eset.com/joomla/
http://www.eset.com/joomla/
u3.eset.com/
http://u3.eset.com/
u4.eset.com/
http://u4.eset.com/
www.symantec.com/updates
Stops and Deletes Services
Win32/Stration may stop and delete a number of security related services if they are running on the affected system. Stration may target the following services:
nod32krn
avginet
avgupsvc
kavsvc
sndsrvc
updmgr
upgrader
drwebupw
spiderml
kav
aupdate
lucoms
luall
ndetect
alunotify
lsetup
luinit
mcupdate
tbmon
wuauclt
wuauclt1
wuauserv
Many of the components which are dropped by Stration are used to monitor whether certain antivirus and/or firewall applications are running on the system. The worm checks for registry entries, services and processes which are related to these applications and uses this information to signal other components and variants that they are running. The worm monitors applications such as:
ZoneAlarm
Sygate Personal Firewall
Symantec Internet Security
Agnitum Outpost Firewall
McAfee Personal Firewall
Kerio WinRoute Firewall
Sends Spam E-mail
Win32/Stration variants are also capable of sending spam e-mail. These variants usually contact a particular domain and download a file that contains a list of URLs. This list of URLs includes:
- Location of e-mail to be downloaded and sent out by the worm
- Location of files that contain a list of recipient e-mail addresses
Stration downloads these files and, after a certain period of time, begins sending out e-mail.
Below are examples of spam e-mail sent by Stration:
Analysis by Hamish O'Dea and Amir Fouda
Back to top