Home / malwarePDF  

Trojan:Win32/Stration.gen!dr


First posted on 13 July 2019.
Source: Microsoft

Aliases :

Trojan:Win32/Stration.gen!dr is also known as Win32/Stration!generic, W32/Strati-Gen, W32.Stration.DL@mm, WORM_STRAT.DR.

Explanation :

Win32/Stration.gen is generic detection for a family of mass-mailing email worms that may terminate processes related to security software, block access to security-related domains, and attempt to download a file from a remote website. Typically, the downloaded file is a new variant of the Win32/Stration worm. Win32/Stration sends itself to addresses obtained from a wide range of file types found on the infected system. The e-mail message composed by Win32/Stration worms may masquerade as one of the following failure messages: Mail transaction failed. Partial message is available.  The message contains Unicode characters and has been sent as a binary attachment.  The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment The Win32/Stration e-mail message may also masquerade as a scanning tool, as follows: Mail server report.
Our firewall determined the e-mails containing worm copies are being sent from your computer. Nowadays it happens from many computers, because this is a new virus type (Network Worms). Using the new bug in the Windows, these viruses infect the computer unnoticeably. After the penetrating into the computer the virus harvests all the e-mail addresses and sends the copies of itself to these e-mail addresses Please install updates for worm elimination and your computer restoring. Best regards,
Customers support service  The Win32/Stration worm attaches a copy of itself as an attachment to the email. Attachment names may vary and may include one of the following: body
data
doc
docs
document
file
message
readme
test
text
Update-KB%random_numbers%-x86 (where %random-number% indicates a series of numbers) Win32/Stration may use a double extension ruse, in which the filenames may be appended with one of the following: .log
.msg
.txt  The Win32/Stration attachment generally has one of the following actual extensions: .exe
.scr
.zip
Upon infection, Win32/Stration drops files, usually into the Windows folder (typically C:Windows) or the Windows system folder (typically C:WindowsSystem32). File names may vary; common examples include: cserv32.exe
cservv32.exe
dpv1usrd.exe
e1.dll
msserv.exe
mswiizz32.exe
nwwksetr.dll
rsmb.exe
rsmpwtsa.exe
serrv.exe
serv.exe
sisbaclu.dll
sserrvv.exe
svchost.exe
t2serv.dll
t2serv.exe
tsrv.exe In order to load when Windows is started, Win32/Stration worms modify the System Registry by adding a value with a path pointing to one of the dropped files to the following registry key: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun Win32/Stration may load the dropped DLL files by modifying the following registry key: HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWindowsAppInit_DLLs All the DLLs specified in this value are loaded by each Windows-based application running in the current log on session. Win32/Stration may also register the dropped DLL files to load as Winlogon notification packages by modifying the following registry key: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifyadding the value: 'acac' The Win32/Stration worms may attempt to delete processes associated with certain antivirus and security software installed on the system. Win32/Stration may also modify the Windows Hosts file in an attempt to block access to certain domains, thereby preventing access to security updates and information which could be used to detect or remove the worm.

Last update 13 July 2019

 

TOP