high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Included in our products from | October 2007 (4.22) |
| Protection available since | 26 August 2006 12:42:33 (GMT) |
| Last updated | 1 September 2007 14:45:59 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for disinfecting PE executables.
More Information
W32/Strati-Gen is a family of mass-mailing worms and downloaders for the Windows platform.
Some members of W32/Strati-Gen spread by sending emails with itself as an attachment. Emails usually take the following form:
The subject line is usually chosen from the following:
hello
picture
Server Report
Status
test
Good Day
Error
Mail Delivery System
Mail Transaction Failed
The message text is usually chosen from the following:
Mail transaction failed. Partial message is available.
The message contains Unicode characters and has been sentas a binary attachment.
The message cannot be represented in 7-Bit ASCII encodingand has been sent as a binary attachment.
The worm is included as a file attachment with a filename of the following form. The attachment filename starts with one of the following:
body
data
doc
docs
document
file
message
readme
test
text
The filenames have a double file extension, with a large number of spaces between the two file extensions. For instance, a typical filename might be:
body.log .cmd
When first run, members of W32/Strati-Gen usually copy themselves to the Windows folder, and some may also drop some of the following files:
<System>\<random>.dll
<System>\<random>.exe
<System>\<random>.dll
Members of W32/Strati-Gen may also drop another dll file to the Windows or Windows system folder.
Members of W32/Strati-Gen often set a registry entry at the following location to run themselves at startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Some members of W32/Strati-Gen attempt to terminate processes and services related to certain security and anti-virus applications.
Some members of W32/Strati-Gen modify the HOSTS file to prevent access to certain security and anti-virus related URLs.
Members of W32/Strati-Gen usually include functionality to download, install and run new software.
Members of W32/Strati-Gen often set the following registry entry:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs
<random>.dll
Some members of W32/Strati-Gen create the following registry entries to run code exported by a dropped dll on startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\<dllname>
DllName
<path to dll>
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\<dllname>
Startup
WlxStartupEvent
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\<dllname>
Impersonate
0
Some members of W32/Strati-Gen arrive in a zip containing the filename "Update-KB<random numbers>-x86.exe", or simply as an executable with that name.
When first run, some members of W32/Strati-Gen display a message box with the title "Information" and the text "Update successfully installed".
|
