W32/Stration-B

Please follow the instructions for removing worms.

W32/Stration-B is a mass-mailing worm and backdoor Trojan for the Windows platform.

W32/Stration-B spreads by sending emails with itself as an attachment to email addresses harvested from the Windows Address Book (WAB). Emails sent by the worm have the following characteristics:

Subject line chosen from:

hello
picture
Server Report
Status
test
Good Day
Error
Mail Delivery System
Mail Transaction Failed

Message text chosen from:

'Mail transaction failed. Partial message is available.'

'The message contains Unicode characters and has been sentas a binary attachment.'

'The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.'

The worm is included as a file attachment. The file attachment filename starts with one of the following names:

body
data
doc
docs
document
file
message
readme
test
text

The filenames have a double file extension, with a large number of spaces between the two file extensions. For instance, a typical filename might be:

file.txt .exe

The second file extension is usually a format ending with the names .BAT, .PIF, .CMD, .EXE or .SCR.

W32/Stration-B includes functionality to:
- communicate with a remote server via HTTP
- disable anti-virus and other security related software W32/Stration-B is a mass-mailing worm and backdoor Trojan for the Windows platform.

W32/Stration-B spreads by sending emails with itself as an attachment to email addresses harvested from the Windows Address Book (WAB). Emails sent by the worm have the following characteristics:

Subject line chosen from:

hello
picture
Server Report
Status
test
Good Day
Error
Mail Delivery System
Mail Transaction Failed

Message text chosen from:

'Mail transaction failed. Partial message is available.'

'The message contains Unicode characters and has been sentas a binary attachment.'

'The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.'

The worm is included as a file attachment. The file attachment filename starts with one of the following names:

body
data
doc
docs
document
file
message
readme
test
text

The filenames have a double file extension, with a large number of spaces between the two file extensions. For instance, a typical filename might be:

file.txt .exe

The second file extension is usually a format ending with the names .BAT, .PIF, .CMD, .EXE or .SCR.

W32/Stration-B includes functionality to:
- communicate with a remote server via HTTP
- disable anti-virus and other security related software

The worm interferes with the following processes:

mpftray.exe
outpost.exe
ccapp.exe
smc.exe
zapro.exe
zlclient.exe
opera.exe
firefox.exe
svchost.exe
services.exe
iexplore.exe

When run W32/Stration-B copies itself to <Windows>\svchost32.exe and also to the Temp folder, with names similar to those used for email attachments.

W32/Stration-B also creates the following files:

<System>\cmut449c14b7.dll - detected as W32/Stration-B
<System>\hpzl449c14b7.exe - detected as W32/Stration-B
<System>\msji449c14b7.dll - detected as W32/Stration-B
<Current Folder>\D.TMP - this file can be safely deleted

W32/Stration-B then proceeds to open the file D.TMP with the Windows Notepad application.

The following registry entry may be created to run W32/Stration-B on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
<filename without extension>
<pathname of the W32an executable>

The following registry entry is also created:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs
msji449c14b7.dll

W32/Stration-B also attempts to download further executable code.