Sophos

Sophos blogs

W32/Stration-G

Aliases
  • W32/Stration@MM
  • Win32/Opnis.NAJ
Category
Type
What to do
Prevalence low high

Summary

 
How it spreads
  • Email messages
Affected operating systems Windows
Protection available since 26 August 2006 12:42:33 (GMT)
Last updated 3 May 2007 07:37:51 (GMT)
Detected by All Sophos products
Download Free virus scan
Download the Threat Detection Test
  • Free virus, spyware, and adware scan
  • Test your existing anti-virus protection
  • Find threats your anti-virus missed

Action

More Information

W32/Stration-G is a mass-mailing worm for the Windows platform.

W32/Stration-G spreads my sending emails with itself as an attachment. Emails take the following form.

The subject line is chosen from the following:

hello
picture
Server Report
Status
test
Good Day
Error
Mail Delivery System
Mail Transaction Failed

The message text is chosen from the following:

Mail transaction failed. Partial message is available.

The message contains Unicode characters and has been sentas a binary attachment.

The message cannot be represented in 7-Bit ASCII encodingand has been sent as a binary attachment.

The worm is included as a file attachment with a filename of the following form. The attachment filename starts with one of the following:

body
data
doc
docs
document
file
message
readme
test
text

The filenames have a double file extension, with a large number of spaces between the two file extensions. For instance, a typical filename might be:

body.log .cmd W32/Stration-G is a mass-mailing worm for the Windows platform.

W32/Stration-G spreads my sending emails with itself as an attachment. Emails take the following form.

The subject line is chosen from the following:

hello
picture
Server Report
Status
test
Good Day
Error
Mail Delivery System
Mail Transaction Failed

The message text is chosen from the following:

Mail transaction failed. Partial message is available.

The message contains Unicode characters and has been sentas a binary attachment.

The message cannot be represented in 7-Bit ASCII encodingand has been sent as a binary attachment.

The worm is included as a file attachment with a filename of the following form. The attachment filename starts with one of the following:

body
data
doc
docs
document
file
message
readme
test
text

The filenames have a double file extension, with a large number of spaces between the two file extensions. For instance, a typical filename might be:

body.log .cmd

W32/Stration-G copies itself to \svchost32.exe and also to the Temp folder, with names similar to those used for email attachments.

W32/Stration-G also attempts to download further executable code. The downloaded executable will install the following files:

<System>\feclipna.dll
<System>\feclipna.exe
<System>\racpwow3.exe

The following registry entries are created to run code exported by feclipna.dll on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\feclipna
DllName
\feclipna.dll

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\feclipna
Startup
WlxStartupEvent

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\feclipna
Impersonate
0

RSS|Atom
Get reports about the latest virus and spyware threats delivered to your computer