Stration Worms Spoil Operating Systems
A batch of different "Stration" worms was discovered that proliferated through e-mail with its attachments.
Trend Micro declared that 'Worm Stration.AZ' spread through e-mail attachment whereby the e-mail messages were sent to addresses obtained from "Windows Address Book" (WAB). The worm uses its dual extensions to send the attached files saying foul that the attachment is safe to download and run on the system.
The e-mail does not use e-mail clients like Outlook or Thunderbird but has its own SMTP to send messages. The attachment poses to be a patch from Microsoft that has a file name Update-KB(some random set of numbers)-x86.exe. The worm affects the PC by placing infected files in some folders and also changes Windows registry to enable it to run automatically on Windows boot.
The worm attempts to disable firewall software. It also does not let access to certain websites by changing the HSOTS file of the infected computer. It even tries to download malware from some malicious website that increases the danger on the computer.
Trend Micro has discovered a similar worm that rests in the system's memory and is named Worm Stration.BB. Information about both the worms along with the instructions for their removal are provided on Trend Micro's website.
Stration Worm has a variant called W32/Stration-X, which is a mass mailing worm that infects Windows operating system. Subject lines like 'Hello', 'Status', 'Error', 'Mail Transaction failed' and 'Mail server report' help to identify the mails. W32/Stration-X is featured with the ability to download, install and run new program.
The body message asks recipients to open its attachment saying that the message contains Unicode characters. Alternately it could say that message cannot be viewed in 7-bit ASCII format and is therefore sent as a binary attachment. Sometimes the message text is displayed only partially and states that the mail transaction has failed.
Another worm found by Sophos is W32/Stration-T, quite similar to Stration.AZ and Stration.BB. The worm makes a forgery of the sender's e-mail id and downloads malicious code. It also modifies registry and causes 'Denial of Service' attacks. Details and removal techniques of the worm are provided in the Sophos Website.
Related article: Stration Worm Pretends to be Security Patch
» SPAMfighter News - 19-09-2006