For a brief amount of time today, TMIRT honeypots were able to receive multiple samples of TROJ_STRAT.DR. In what seems to be another “spiked” attack, TROJ_STRAT.DR was aggressively spammed, recompiled, then spammed again. This methodology resulted in at least 10 variations of the said malware, each one with a different MD5, but with the same behavior.
TROJ_STRAT.DR is a Trojan downloader that copies heavily from its worm brother. The same timing (a few days after MS patch Tuesday), the same e-mail details (pretending to be a patch from MS), and the same file attachment format (UPDATE-KBxxxx-x86).
This trojan downloads WORM_STRAT.DR from the VEDASETIONDERUN.COM domain. Interestingly, the said domain was created only yesterday, October 18, 2006. It seems to be that the domain was created for the sole purpose of hosting downloadable STRAT variants.
OPR 855 was quickly released to protect Trend Micro customers from this malware.
