W32/Stration-B is a mass-mailing worm and backdoor Trojan for the Windows platform.
W32/Stration-B spreads by sending emails with itself as an attachment to email addresses harvested from the Windows Address Book (WAB). Emails sent by the worm have the following characteristics:
Subject line chosen from:
hello
picture
Server Report
Status
test
Good Day
Error
Mail Delivery System
Mail Transaction Failed
Message text chosen from:
'Mail transaction failed. Partial message is available.'
'The message contains Unicode characters and has been sentas a binary attachment.'
'The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.'
The worm is included as a file attachment. The file attachment filename starts with one of the following names:
body
data
doc
docs
document
file
message
readme
test
text
The filenames have a double file extension, with a large number of spaces between the two file extensions. For instance, a typical filename might be:
file.txt .exe
The second file extension is usually a format ending with the names .BAT, .PIF, .CMD, .EXE or .SCR.
W32/Stration-B includes functionality to:
- communicate with a remote server via HTTP
- disable anti-virus and other security related software
W32/Stration-B is a mass-mailing worm and backdoor Trojan for the Windows platform.
W32/Stration-B spreads by sending emails with itself as an attachment to email addresses harvested from the Windows Address Book (WAB). Emails sent by the worm have the following characteristics:
Subject line chosen from:
hello
picture
Server Report
Status
test
Good Day
Error
Mail Delivery System
Mail Transaction Failed
Message text chosen from:
'Mail transaction failed. Partial message is available.'
'The message contains Unicode characters and has been sentas a binary attachment.'
'The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.'
The worm is included as a file attachment. The file attachment filename starts with one of the following names:
body
data
doc
docs
document
file
message
readme
test
text
The filenames have a double file extension, with a large number of spaces between the two file extensions. For instance, a typical filename might be:
file.txt .exe
The second file extension is usually a format ending with the names .BAT, .PIF, .CMD, .EXE or .SCR.
W32/Stration-B includes functionality to:
- communicate with a remote server via HTTP
- disable anti-virus and other security related software
The worm interferes with the following processes:
mpftray.exe
outpost.exe
ccapp.exe
smc.exe
zapro.exe
zlclient.exe
opera.exe
firefox.exe
svchost.exe
services.exe
iexplore.exe
When run W32/Stration-B copies itself to <Windows>\svchost32.exe and also to the Temp folder, with names similar to those used for email attachments.
W32/Stration-B also creates the following files:
<System>\cmut449c14b7.dll - detected as W32/Stration-B
<System>\hpzl449c14b7.exe - detected as W32/Stration-B
<System>\msji449c14b7.dll - detected as W32/Stration-B
<Current Folder>\D.TMP - this file can be safely deleted
W32/Stration-B then proceeds to open the file D.TMP with the Windows Notepad application.
The following registry entry may be created to run W32/Stration-B on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
<filename without extension>
<pathname of the W32an executable>
The following registry entry is also created:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs
msji449c14b7.dll
W32/Stration-B also attempts to download further executable code.