Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Stration.ET

Email-Worm.Win32.Warezov.gen (Kaspersky), W32/Stration@MM (McAfee), W32.Stration@mm (Symantec) 

Installation

When executed, the %windir% copies itself in the folder using the following filename:

t2serv.exe

 

The following files are dropped in the same folder:

t2serv.dll
t2serv.wax
t2serv.s

The following files are dropped in the %system% folder:

kbdaqosn.dll
mqpeh323.dll
vjoyslay.exe

 

In order to be executed on every system start, the worm sets the following Registry entry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"t2serv" = "%windir%\t2serv s"

 

he following Registry entry is set:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs" = "kbdaqosn.dll e1.dll"

 

Notepad window with random text is displayed.

 

Spreading via e-mail

 

E-mail addresses for further spreading are searched for in local files with one of the following extensions:

.adb
.asp
.cfg
.cgi
.dbx
.dhtm
.eml
.htm
.html
.jsp
.mbx
.mdx
.mht
.mmf
.msg
.nch
.ods
.oft
.php
.sht
.shtm
.stm
.tbb
.txt
.uin
.wab
.wsh
.xls
.xml

Addresses containing the following strings are avoided:

.edu
.gov
.mil
@avp
@foo
admin
anyone@
apache
berkeley
bsd
bugs@
cafee
certific
contact
contract@
example
fido
ftp
gnu
gold-certs
google
help
help@
ibm.com
icrosoft
info@
kasp
kernel
linux
local
master
mozilla
mydomai
news
nobody
noone
noreply
panda
pgp
privacy
rating
rfc-ed
ripe.
root@
samples
secure
sendmail
service
somebody
someone
spam
support
unix
update
update
usenet
winrar
winzip
www
xx
you
your

 

Strings from the following 4 lists may be used to form the sender address:

sec
serv
secur


adam
alice
anna
betty
bob
brenda
brent
brian
carol
claudia
craig
cyber
dan
dave
david
debby
den
Donn
frank
george
gerhard
helen
james
jane
jayson
jerry
jim
joe
john
karen
linda
lisa
mancy
maria
ruth
sandra
sharon
Susan


adams
allen
anderson
baker
carter
clark
garcia
gonzalez
green
hall
harris
hernandez
hill
jackson
jeremy
joe
kenneth
king
lee
lewis
lopez
martin
martinez
miller
molly
moore
nelson
robinson
robyn
rodriguez
scott
shaan
taylor
thomas
thompson
walker
white
wilson
wright
young


areainc.com
logoluso.com
heatwave.com
megaman.com
scholzes.com
guierfence.com
tjh.com
phazen.net
fcradio.net
niet.com
gametemple.com
midmich.net
vieng.com
elamex.com
sycamorepd.com
selectplans.com
motorsportwarehouse.com
telcan.com
iinet.net.au
firstclassmoving.com

 

Subject of the message is one of the following:

Mail server report.
Server Report
Mail Delivery System
test
picture
hello
Status
Error
Good day
Mail Transaction Failed

 

Body of the message is one of the following:

Mail transaction failed. Partial message is available.


The message contains Unicode characters and has been sentas a binary attachment.


The message cannot be represented in 7-bit ASCII encodingand has been sent as a binary attachment


Mail server report.

Our firewall determined the e-mails containing worm copies are being sent from your computer.

Nowadays it happens from many computers, because this is a new virus type (Network Worms).

Using the new bug in the Windows, these viruses infect the computer unnoticeably.
After the penetrating into the computer the virus harvests all the e-mail addresses and sends the copies of itself to these e-mail
addresses

Please install updates for worm elimination and your computer restoring.

Best regards,
Customers support service

The attachment is either an executable of the worm, or a ZIP archive containing it. Its filename is one of the following:

body
data
doc
docs
document
file
message
readme
test
text
Update-KB-abcd-x86

 

The "abcd" stands for a variable four digit number. If an archive is attached, the name has the following extension:

.zip

 

If an executable is attached, a double extension may be used. The first is one of the following:

dat
doc
elm
log
msg
txt

The second is one of the following:

bat
cmd
exe
pif
scr

Other information

The worm quits immediately if any of the following applications is detected:

Outpost Firewall
McAfee Personal Firewall
Kerio Winroute Firewall
ZoneAlarm
Sygate Personal Firewall
Norton Internet Security

 

The following programs are terminated:

nod32krn
avginet
avgupsvc
upgrader
drwebupw
spiderml
autodown
kav
mcupdate
tbmon
wuauclt
wuauclt1
wupdmgr

 

The worm contains a list of URLs. It tries to download several files from the addresses. The files are then executed.

 

© 1992-2006 Eset s.r.o. All rights reserved. No part of this encyclopedia may be reproduced, transmitted or used in any other way in any other form or by any means without prior permission from Eset.