myITforum.com
Welcome to myITforum.com Sign in | Join | Help
in Search
Site Home Home Bloggers List Blogs Photos Downloads

Harry Waldron - My IT Forums Blog

Sharing Security Developments, and Best Practices for corporate and home users

Stration Worm -- Tricky new malware unnerves security vendors

Sharing an article on Stration, which is on the watchlist for developments, as it's now one of the leading email worms.

Stration Worm -- Tricky new malware unnerves security vendors
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9004601

quote:  October 30, 2006  (IDG News Service) -- A tricky malicious program has become more prevalent in spam, but experts don't know what its creators plan to do with it.  Many vendors are rating the malware -- called "Warezov," "Stration" and "Stratio" -- as a low risk. But they also say that it is tricky to deal with.

The malware is a mass-mailing worm that affects machines running Microsoft Corp.'s Windows OS. When the malware infects a computer -- usually after the user has opened an attachment containing the worm in a spam e-mail -- it sends itself out again to other e-mail addresses found on the computer. The code is then capable of downloading new versions of itself as frequently as every 30 minutes from a batch of Web sites, said Mikko Hypponen, chief research officer at F-Secure Corp., a security company in Helsinki.

Those new versions are created by a program on a server controlled by the hacker, Hypponen said.  In the past, malware has been known to create variations of itself, but the code to create those variations was contained inside the malware. So when a sample was obtained, security analysts could study it and identify potential new versions, he said.

Coincidently, I just got a leading edge Stration variant where McAfee, Symantec, and Microsoft didn't detect this (as of 2pm EDT)

EMAIL SUBJECT TITLE: This is not shown on TV.
ATTACHMENT: picture0000.zip (0000=number)

quote:  Complete scanning result of "picture1656.zip", processed in VirusTotal
at 10/31/2006 19:37:49 (CET).

[ file data ]
* name: picture1656.zip
* size: 13321
* md5.: 17653f8f867ef7a6f5b9dd4be2f55902
* sha1: c0c70aead05814cb35097fc2358615868fd67f42

[ scan result ]
AntiVir 7.2.0.34/20061031 found [TR/Dldr.Stration.C.6]
Authentium 4.93.8/20061031 found [W32/Warezov.GA]
Avast 4.7.892.0/20061031 found [Win32:Warezov-MF]
AVG 386/20061031 found [I-Worm/Stration]
BitDefender 7.2/20061031 found [Win32.Warezov.EW@mm]
CAT-QuickHeal 8.00/20061031 found [I-Worm.Warezov.ev]
ClamAV devel-20060426/20061031 found [Worm.Stration.YY]
DrWeb 4.33/20061031 found [Win32.HLLM.Limar.based]
eTrust-InoculateIT 23.73.41/20061031 found
[Win32/Stration.Variant!Worm]
eTrust-Vet 30.3.3170/20061031 found nothing
Ewido 4.0/20061031 found nothing
F-Prot 3.16f/20061031 found [W32/Warezov.GA]
F-Prot4 4.2.1.29/20061031 found [W32/Warezov.GA]
Fortinet 2.82.0.0/20061031 found [W32/Stration.DU@mm]
Ikarus 0.2.65.0/20061031 found [Email-Worm.Win32.Warezov.gen]
Kaspersky 4.0.2.24/20061031 found [Email-Worm.Win32.Warezov.ev]
McAfee 4884/20061030 found nothing
Microsoft 1.1609 /20061031 found nothing
NOD32v2 1.1845/20061031 found [a variant of Win32/Stration]
Norman 5.80.02/20061031 found [W32/Stration.AOH]
Panda 9.0.0.4/20061031 found nothing
Sophos 4.10.0/20061026 found nothing
TheHacker 6.0.1.109/20061030 found [W32/Generic!zip-dobleextension]
UNA 1.83/20061031 found nothing
VBA32 3.11.1/20061031 found [MalwareScope.Worm.Warezov.1]
VirusBuster 4.3.15:9/20061031 found [Trojan.Opnis.Gen.14]

Published Oct 31 2006, 07:27 PM by hwaldron

Comments

No Comments

This Blog

Syndication
Copyright - www.myITforum.com, Inc. - 2007 All Rights reserved.
Powered by Community Server (Commercial Edition), by Telligent Systems