Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Stration

Aliases:Email-Worm.Win32.Warezov.gen (Kaspersky), W32/Stration@MM (McAfee), W32.Stration@mm (Symantec) 

This text describes a family of worms. As there are many different variants of Win32/Stration, some properties may vary.

Installation

When executed, the worm copies itself in the %windir% folder. Several other files are dropped in the following folders:

%system%
%windir%

The following Registry entries are set:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs

  The entries contain path to worm executables.

 A Notepad window with random text may be displayed.

 

Spreading via e-mail

E-mail addresses for further spreading are searched for in local files. Subject of the message may be one of the following:

Error
Good day
hello
Mail Delivery System
Mail server report.
Mail Transaction Failed
picture
Server Report
Status
test

 

Body of the message may be one of the following:

Mail transaction failed. Partial message is available.


The message contains Unicode characters and has been sentas a binary attachment.


The message cannot be represented in 7-bit ASCII encodingand has been sent as a binary attachment


Mail server report.

Our firewall determined the e-mails containing worm copies are being sent from your computer.

Nowadays it happens from many computers, because this is a new virus type (Network Worms).

Using the new bug in the Windows, these viruses infect the computer unnoticeably.
After the penetrating into the computer the virus harvests all the e-mail addresses and sends the copies of itself to these e-mail
addresses

Please install updates for worm elimination and your computer restoring.

Best regards,
Customers support service

The attachment is either an executable of the worm, or a ZIP archive containing it. Its filename may be one of the following:

body
data
doc
docs
document
file
message
readme
test
text
Update-KB-abcd-x86

The "abcd" stands for a variable four digit number. If an archive is attached, the name has the following extension:

.zip

If an executable is attached, a double extension may be used. The first is one of the following:

dat
doc
elm
log
msg
txt

The second is one of the following:

bat
cmd
exe
pif
scr

Other information

The worm terminates various security related applications.  

The worm contains a list of URLs. It tries to download several files from the addresses. The files are then executed.

 

© 1992-2006 Eset s.r.o. All rights reserved. No part of this encyclopedia may be reproduced, transmitted or used in any other way in any other form or by any means without prior permission from Eset.