1. Computing

Stration Worm

By

Name:

Stration

Also known as:

W32.Stration@mm, W32/Spamta.A.worm, W32/Stration, WORM_STRATION.A, Email-Worm.Win32.Warezov.a

Type:

Email worm

Discovered:

August 15, 2006

Method of Propagation:

The Stration worm spreads via email, using a variety of subject lines and message text. The attachment carried by the Stration email may be named one of the following:

body
data
doc
docs
document
file
message
readme
test
text
Update-KB%random_numbers%-x86

The attachment will have a .exe, .scr, or .zip extension, but it may also use a double extension ruse to hide the executable extenion on some versions of Windows. Enable file extension viewing to correctly identify the extension.

The Stration worm uses various message bodies in order to entice recipients into opening the infected attachment. In some cases, the email may claim to be a failed or rejected message. In other cases, the worm masquerades as a 'worm elimination' update. A partial example of a typical Stration email message follows:

 
Our firewall determined the e-mails containing worm copies are being sent from your computer. 
Nowadays it happens from many computers, because this is a new virus type (Network Worms). 
Using the new bug in the Windows, these viruses infect the computer unnoticeably. After the penetrating into the computer the virus harvests all the e-mail addresses and sends the copies of itself to these e-mail addresses. 
Please install updates for worm elimination and your computer restoring. 

The Stration email worm attempts to download a file from a remote website. It also scours a wide range of file types found on the infected system, harvesting email addresses and sending its infected email to the discovered addresses.

Symptoms of Infection:

Note: There are dozens of variants of the Stration worm. The following technical details may not apply to each of them. To determine whether a Stration infection is present, scan your systems with up-to-date antivirus software.

System Impact:
The Stration email worm may drop the following files into the Windows directory (typically, C:\Windows):

  • t2serv.dll
  • t2serv.exe
  • t2serv.s
  • t2serv.wax

Stration may also drop the following files into the Windows system folder(typically, C:\Windows\System32):

  • e1.dll
  • mqoacdmo.dll
  • qdvtscf.dll
  • snmpmssw.exe

The Stration email worm may inject one or more of these DLLs into certain running processes which could allow it to bypass certain types of firewalls or other security software.

Stration modifies the registry as follows, in order to launch when Windows is started:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
t2serv = "%Windows%\t2serv.exe s"

Stration may also modify the following subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs = ""
changing the blank ("") value to "qdvtscf.dll e1.dll"

Removal Notes:
Use up-to-date antivirus software to identify the worm's files. Either allow the antivirus software to delete these files, or they can be manually deleted. If opting for manual deletion, be sure to also remove the registry modifications made by the worm.

©2014 About.com. All rights reserved.