Global sites
SolutionsProductsPurchaseDownloadPartnersSupportCompanyThreat Center
Threat CenterEset Online scannerESET SysInspectorThreatSense® ThreatSense.Net® Security TipsThreat LevelThreat Dictionary
Threat Encyclopaedia
Update infoVirus Radar on your Website
Antivirus Software NOD32 > Threat Center > Threat Encyclopaedia > S

Threat Encyclopaedia

Print this pageSend

Win32/Stration

Aliases:Email-Worm.Win32.Warezov.gen (Kaspersky), W32/Stration@MM (McAfee), W32.Stration@mm (Symantec) 
Type of infiltration:worm 
Affected platforms:Microsoft Windows 
Short description:Win32/Stration is a worm that spreads via e-mail.  

This text describes a family of worms. As there are many different variants of Win32/Stration, some properties may vary.

 

Installation

When executed, the worm copies itself in the %windir% folder. Several other files are dropped in the following folders:

%system%
%windir%

The following Registry entries are set:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs

 

The entries contain path to worm executables.

 

A Notepad window with random text may be displayed.

 

Spreading via e-mail

E-mail addresses for further spreading are searched for in local files. Subject of the message may be one of the following:

Error
Good day
hello
Mail Delivery System
Mail server report.
Mail Transaction Failed
picture
Server Report
Status
test

Body of the message may be one of the following:

Mail transaction failed. Partial message is available.


The message contains Unicode characters and has been sentas a binary attachment.


The message cannot be represented in 7-bit ASCII encodingand has been sent as a binary attachment


Mail server report.

Our firewall determined the e-mails containing worm copies are being sent from your computer.

Nowadays it happens from many computers, because this is a new virus type (Network Worms).

Using the new bug in the Windows, these viruses infect the computer unnoticeably.
After the penetrating into the computer the virus harvests all the e-mail addresses and sends the copies of itself to these e-mail
addresses

Please install updates for worm elimination and your computer restoring.

Best regards,
Customers support service

The attachment is either an executable of the worm, or a ZIP archive containing it. Its filename may be one of the following:

body
data
doc
docs
document
file
message
readme
test
text
Update-KB-abcd-x86

The "abcd" stands for a variable four digit number. If an archive is attached, the name has the following extension:

.zip

If an executable is attached, a double extension may be used. The first is one of the following:

dat
doc
elm
log
msg
txt

The second is one of the following:

bat
cmd
exe
pif
scr

Other information

The worm terminates various security related applications.

 

The worm contains a list of URLs. It tries to download several files from the addresses. The files are then executed.