Also known as:
Method of Propagation:
The attachment will have a .exe, .scr, or .zip extension, but it may also use a double extension ruse to hide the executable extenion on some versions of Windows. Enable file extension viewing to correctly identify the extension.
The Stration worm uses various message bodies in order to entice recipients into opening the infected attachment. In some cases, the email may claim to be a failed or rejected message. In other cases, the worm masquerades as a 'worm elimination' update. A partial example of a typical Stration email message follows:
Our firewall determined the e-mails containing worm copies are being sent from your computer. Nowadays it happens from many computers, because this is a new virus type (Network Worms). Using the new bug in the Windows, these viruses infect the computer unnoticeably. After the penetrating into the computer the virus harvests all the e-mail addresses and sends the copies of itself to these e-mail addresses. Please install updates for worm elimination and your computer restoring.
The Stration email worm attempts to download a file from a remote website. It also scours a wide range of file types found on the infected system, harvesting email addresses and sending its infected email to the discovered addresses.
Symptoms of Infection:
Note: There are dozens of variants of the Stration worm. The following technical details may not apply to each of them. To determine whether a Stration infection is present, scan your systems with up-to-date antivirus software.
The Stration email worm may drop the following files into the Windows directory (typically, C:\Windows):
Stration may also drop the following files into the Windows system folder(typically, C:\Windows\System32):
The Stration email worm may inject one or more of these DLLs into certain running processes which could allow it to bypass certain types of firewalls or other security software.
Stration modifies the registry as follows, in order to launch when Windows is started:
t2serv = "%Windows%\t2serv.exe s"
Stration may also modify the following subkey:
AppInit_DLLs = ""
changing the blank ("") value to "qdvtscf.dll e1.dll"
Use up-to-date antivirus software to identify the worm's files. Either allow the antivirus software to delete these files, or they can be manually deleted. If opting for manual deletion, be sure to also remove the registry modifications made by the worm.