We are currently processing four new WORM_STRATION variants. These WORM_STRATION variants have mass-mailing capabilities and has the same set of email details. The four variants also downloads the file lt.exe from http://yuhadefunjinsa.com/[blank].
The four new WORM_STRATION variants were discovered only a couple of hours away from each other, starting with WORM_STRATION.AZ then WORM_STRATION.BB, WORM_STRATION.BC and (hopefully) the last WORM_STRATION.BJ.
You may view the e-mail details of the four WORM_STRATION variants on the image below. It is worthy to point out that this worm poses as a Windows Update Patch. Also, most of the attachment filename is in the form of Update-KB(four digit random number)-x86.exe, which adds to the social engineering factor that makes the user think that this is a valid patch. On some variants, the worm even displays a message box with the text “Update Successfully Installed” after the worm is executed. Moreover, the release of this worm in the wild is also timed to be very near the Microsoft Vulnerability Update Patch release, which is tomorrow, Tuesday, September 12.
All in all, the four WORM_STRATION variants are well thought of worms that uses a lot of social engineering techniques to entice potential victims to believe that it is a valid Microsoft patch and execute it.
WORM_STRATION.AZ displays this message box after execution.
Some variants creates a text file and opens it using the default text editor.
We are continuing with the analysis of the four worm variants and will update this blog entry when new things come up
Update (Jovs, Tue, 12 Sep 2006 01:49:57 AM)
Further investigation revealed that it has another download site named gadesunheranwui.com[foo]/[bar]/lt.exe. The file is the same as the one from the previous site.
However curiosity got better of me and I wondered what else is on the site. Well along my search, I found two other files in a different directory of both domains, tested it with our pattern and it turned out to be a copy of WORM_STRATION.AE.