|Type||Mass mailer worm|
|Creator||the Warezov gang|
|Place of Origin||China|
|File Type(s)||.cmd, exe, .pif, .scr, .bat|
Stration also known as Warezov is a popular botnet worm from 2006. It was created by a Chinese cracker gang and had a fierce rivalry with the gang responsible for the Storm worm. It has an extremely high number of variants, a few of which are significantly different from the original.
Stration arrives in an email. The "Sender:" will be a random name chosen from a list coded in the worm followed by four random characters, then a common email provider (yahoo, hotmail or similar). The subject line will be one of the following: Good Day, Server Report, hello, picture, Status, test, Error, Mail Delivery System or Mail Transaction Failed. The message body will be one of these:
- The message contains Unicode characters and has been sentas a binary attachment.
- Mail transaction failed. Partial message is available.
- The message cannot be represented in 7-bit ASCII encodingand has been sent as a binary attachment
The attachment name comes from strings programmed into the worm. Typically this name consists of a seemingly plausible name for a document or email (document, readme, body and similar) followed by the extension .log, .elm, .msg, .txt or .dat, which is then followed by several spaces and then an extension of .bat, .cmd, .scr, .exe, or .pif.
When Stration is executed, it copies itself to the windows folder as the file svchost32.exe. It also copies itself to a temporary folder under a file name constructed of some strings programmed into the worm, the same rules that apply to the attachment name.
It collects email addresses found in various text, document, spreadsheet, database and script files among other types. The worm then sends itself to these email addresses.
The worm then contacts the URL http://strationee.com/chr/ and downloads a file from it.
Stration produced enough variants to go through the alphabet several times. Some antivirus products claim to detect enough that they go through it enough to require three letters in a variant name (going from Stration.ZZ to Stration.AAA and beyond). Stration.LY spreads as an attachment over the VOIP program Skype. It actually spread through a link that points to the worm file. When the worm is executed, it sends the link to the user's Skype contact list.
In November of 2006, Warezov counted for 25% of viruses and worms detected according to Irish email monitoring and hosting firm IE Internet.
After about a year of little or no activity, variants of the worm reappeared in late 2008. In October of that year, trojan horses on websites offering free MP3 downloads were found that would install the worm. The worm made it difficult to fight phishing attacks, as it would turn each infected computer into a host for a fraudulent site, like a popular bank. As there would be thousands of individual fraudulent servers, taking one down still meant that there were thousands to go.
Name and Origin
The worm goes by the names Stration and Warezov. Stration comes from the website the original variant downloaded a trojan file from. Warezov comes from the name of the Chinese gang that created the worm and controlled the botnet it helped spread. It was originally based on Mydoom source code.
The worm was originally believed to have originated somewhere in Asia by a security expert at MessageLabs. It was later found to have been created by the Warezov gang based in China. When Stration and the later Storm worm came to prominence in 2007, the two became rivals in more than just for a position at the top of the virus/worm charts. The gangs that created them programmed some later variants to attack each other and gain control of the computers they had already compromised.
Nicolas Falliere. Symantec, W32.Stration.A@mm. 2007.02.13
Mikko. F-Secure Blog, Skypezov?. 2007.02.27
Maxim Kelly. ElectricNews.net, The Register,Spam: now made in China. 2006.12.04
John Leyden. The Register, Storm Worm linked to spam surge 2007.09.14.
Bob Sullivan. MSNBC Red Tape Chronicles, Virus gang warfare spills onto the Net. 2007.04.03
Dan Goodin. The Register, Warezov botnet rises from the grave. 2008.10.16
Alexander Gostev. Kaspersky Lab, SecureList.com, Malware Evolution: January - March 2007, The Internet battlefield 2007.05.10