W32/Stration-G

Category: Viruses and Spyware Protection available since:26 Aug 2006 00:00:00 (GMT)
Type: Win32 worm Last Updated:26 Aug 2006 00:00:00 (GMT)
Prevalence: No Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/Stration-G is a mass-mailing worm for the Windows platform.

W32/Stration-G spreads my sending emails with itself as an attachment. Emails take the following form.

The subject line is chosen from the following:

hello
picture
Server Report
Status
test
Good Day
Error
Mail Delivery System
Mail Transaction Failed

The message text is chosen from the following:

Mail transaction failed. Partial message is available.

The message contains Unicode characters and has been sentas a binary attachment.

The message cannot be represented in 7-Bit ASCII encodingand has been sent as a binary attachment.

The worm is included as a file attachment with a filename of the following form. The attachment filename starts with one of the following:

body
data
doc
docs
document
file
message
readme
test
text

The filenames have a double file extension, with a large number of spaces between the two file extensions. For instance, a typical filename might be:

body.log .cmd W32/Stration-G is a mass-mailing worm for the Windows platform.

W32/Stration-G spreads my sending emails with itself as an attachment. Emails take the following form.

The subject line is chosen from the following:

hello
picture
Server Report
Status
test
Good Day
Error
Mail Delivery System
Mail Transaction Failed

The message text is chosen from the following:

Mail transaction failed. Partial message is available.

The message contains Unicode characters and has been sentas a binary attachment.

The message cannot be represented in 7-Bit ASCII encodingand has been sent as a binary attachment.

The worm is included as a file attachment with a filename of the following form. The attachment filename starts with one of the following:

body
data
doc
docs
document
file
message
readme
test
text

The filenames have a double file extension, with a large number of spaces between the two file extensions. For instance, a typical filename might be:

body.log .cmd

W32/Stration-G copies itself to <Windows>\svchost32.exe and also to the Temp folder, with names similar to those used for email attachments.

W32/Stration-G also attempts to download further executable code. The downloaded executable will install the following files:

<System>\feclipna.dll
<System>\feclipna.exe
<System>\racpwow3.exe

The following registry entries are created to run code exported by feclipna.dll on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\feclipna
DllName
<System>\feclipna.dll

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\feclipna
Startup
WlxStartupEvent

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\feclipna
Impersonate
0

download Try Sophos products for free
Download now

© 1997 - 2012 Sophos Ltd. All rights reserved. Legal Privacy