Spreading Stration worm pretends to be security patch

September 25, 2006 Sophos Press Release

Experts at SophosLabs™, Sophos's global network of virus, spyware and spam analysis centers, have announced the discovery of a new version of the Stration worm spreading via email systems.

The W32/Stratio-AN worm has been aggressively distributed by its author since the early hours of Monday morning. It spreads via email using a variety of disguises, including one which ironically poses as a warning that the recipient's computer has been determined to be infected by a worm:

Subject line: Mail server report.

Message text:
Mail server report.

Our firewall determined the e-mails containing worm copies are being sent from your computer.

Nowadays it happens from many computers, because this is a new virus type (Network Worms).

Using the new bug in the Windows, these viruses infect the computer unnoticeably. After the penetrating into the computer the virus harvests all the e-mail addresses and sends the copies of itself to these e-mail addresses

Please install updates for worm elimination and your computer restoring.

Best regards,
Customers support service

Attached file: Update-KB7859-x86.zip (which contains the file Update-KB7859-x86.exe)

"This new offspring of the Stration worm is being seen widely at email gateways today, attempting to infect unsuspecting computer users," said Graham Cluley, senior technology consultant for Sophos. "Anyone accessing their email has to learn to resist the temptation of opening unsolicited attachments, and ensure their anti-virus protection is kept fully up-to-date."

Sophos experts believe that the worm is using the disguise of a worm warning to play on concern about an unpatched vulnerability in Microsoft's software.

"Many Windows users are waiting anxiously for Microsoft to fix the VML flaw in its code, which has been exploited by hackers online," continued Cluley. "It's possible that the people behind the Stration worm are playing on the internet community's heightened concern while they are left unprotected by Microsoft, and may be able to fool innocent users into rushing into running the malicious update. The lesson to learn is that you should only ever get your security patches from the vendors' official website, not from an unsolicited email."

Sophos recommends that companies protect their email computers with an automatically updated consolidated solution to defend against viruses, spyware and spam, as well as apply an email policy that filters unsolicited executable code at the gateway.