WORM_STRAT


 ALIASES:

Stration; Warezov; Strati

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Worm

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

Infection Channel:

Downloaded from the Internet, Propagates via email

STRAT, also known as STRATION or WAREZOV, is a family of mass-mailing worms that propagate using simple, recycled email messages which have already been used by worm families that preceded it. Its spamming components and download components are being detected as Trojans. The first STRAT variant was spotted in 2006.

STRAT's purpose is to release numerous variants in the wild to create an outbreak. Later investigations revealed that this malware family attempts to affect as many computers as possible to create a zombie network that can be used to send spam.

  TECHNICAL DETAILS

Memory Resident:

Yes

Payload:

Connects to URLs/IPs

Installation

This worm drops the following copies of itself into the affected system:

  • %System%\{random file name}.exe
  • %Windows%\serv.exe
  • %Windows%\cserv32.exe

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.. %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Serv = "%Windows%\serv.exe s"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
cserv32 = "%Windows%\cserv32.exe s"

It drops the following files:

  • %System%\e1.dll
  • %System%\hhselz32.dll
  • %System%\mslsicwd.dll
  • %System%\{random file name}.dat
  • %System%\{random file name}.dll
  • %System%\{random file name}.dll
  • %System%\{random file name}.exe
  • %Windows%\cserv32.dat
  • %Windows%\cserv32.wax
  • %Windows%\serv.s
  • %Windows%\serv.wax

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.. %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)

It modifies the following registry entries to ensure it automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Windows
AppInit_DLLs = "{Random File Name}.dll e1.dll"

(Note: The default value data of the said registry entry is {blank}.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Windows
AppInit_DLLs = "e1.dll"

(Note: The default value data of the said registry entry is blank.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Windows
AppInit_DLLs = "hhselz32.dll"

(Note: The default value data of the said registry entry is blank.)

Other System Modifications

This worm adds the following registry keys as part of its installation routine:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon\
Notify\{random}

It also creates the following registry entry(ies) as part of its installation routine:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon\
Notify\{random}
DllName = "%System%\{random file name}.dll"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon\
Notify\{random}
Startup = "WlxStartupEvent"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon\
Notify\{random}
Shutdown = "WlxShutdownEvent"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon\
Notify\{random}
Impersonate = "0"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon\
Notify\{random}
Asynchronous = "0"

Other Details

This worm connects to the following possibly malicious URL:

  • http://{BLOCKED}erreg.com/chr/859/e/b?lid={random}
  • http://{BLOCKED}rade.{BLOCKED}dotnet.ne/?version=196644&source=kazaa_336
  • http://www2.{BLOCKED}desachlion.co/cgi-bin/a.cgi
  • http://www3.{BLOCKED}desachlion.com/cgi-bin/a.cgi
  • http://www3.{BLOCKED}desachlion.com/chr/tdg/lt.ex
  • http://www4.{BLOCKED}desachlion.co/chr/tdg/lt.exe
  • http://www6.{BLOCKED}desachlion.co/chr/tdg/nt.exe
  • http://www6.{BLOCKED}jinkderunha.com/chr/829/nt.exe
  • http://www6.{BLOCKED}esinpoion.com/chr/821