W32/Stration-X

Category: Viruses and Spyware Protection available since:11 Sep 2006 00:00:00 (GMT)
Type: Win32 worm Last Updated:11 Sep 2006 00:00:00 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/Stration-X is a mass-mailing worm for the Windows platform.

Mails sent by the worm have the following characteristics:

Subject line: chosen from a list including
Mail server report.
Mail Transaction Failed
Error
Status
hello.

Message text: chosen from a list including

The message contains Unicode characters and has been sent as a binary attachment.

The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.

Mail transaction failed. Partial message is available. W32/Stration-X is a mass-mailing worm for the Windows platform.

Mails sent by the worm have the following characteristics:

Subject line: one of
Mail server report.
Mail Transaction Failed
Error
Status
hello.
Good day

Message text: one of

Mail server report.
Our fireweall determined the e-mails containing worm copies are being sent from your computer.
Nowadays it happens from many computers, because this is a new virus type (Network Worms).
Using the new bug in Windows, these viruses infect the computer unnoticeably.
After penetrating into the computer the virus harvest all the e-mail addresses and sends the copies of itself to these e-mail addresses
Please install updates for worm elimination and your computer restoring.
Best regards,
Customers support service

The message contains Unicode characters and has been sent as a binary attachment.

The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.

Mail transaction failed. Partial message is available.

W32/Stration-X includes functionality to download, install and run new software.

When first run W32/Stration-X copies itself to <Windows folder>\tsrv.exe and creates
the following files:

<Windows system folder>\<random>.dll
<Windows system folder>\<random>.exe
<Windows system folder>\<random>.dll
<Windows folder>\tsrv.dll

These four files are also detected as W32/Stration-X.

The following registry entries are created to run tsrv.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
tsrv
<Windows folder>\tsrv.exe s

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
AppInit_DLLs
<path to one of the randomly-named DLLs>

When first run, W32/Stration-X displays the following message:

Title: Information
Message: Update successfully installed.

download Try Sophos products for free
Download now

© 1997 - 2012 Sophos Ltd. All rights reserved. Legal Privacy