-- Update October 26, 2006 --
This latest variant downloads binary files from different URLs from those in the past. The current URLs in use are listed below:
Other URLs are believed to be in use and will be updated here as soon as possible.
Once executed this latest variant displays the fake "error" error message below:
Email attachment filenames differ between two typical types:
1. Spoof "update" filenames using the following convention:
Where [number] is seemingly random to represent a knowledge base number relating to a patch or similar and where [extension] is either .exe or .zip.
2. Double extension filenames using the following convention:
Where [stub] includes, but is not limited to test; text; doc; body; docs; document. Where [ext1] is one of txt; dat; msg and [ext2] is one of bat; cmd; exe.
-- end update --
There are several variants of this worm. The characteristics of this worm with regard to filenames, registry keys, domain, etc will differ. Hence, this is a general description.
Upon execution, the worm opens notepad and display a text file with random characters:
It creates a copy of itself into the Windows directory:
- %WINDIR%\t2serv.exe ( 117363 bytes )
(Where %WinDir% usually refers to the c:\windows\ directory)
Then it drops the following files.
- %SYSTEMDIR%\rsmpmsim.exe ( 12288 bytes ) W32/Stration@MM virus
- %SYSTEMDIR%\cdoskbdu.dll ( 20480 bytes ) W32/Stration@MM virus
- %WINDIR%\t2serv.dll ( 6656 bytes ) W32/Stration@MM virus
- %SYSTEMDIR%\icaacsrs.dll ( 28672 bytes ) W32/Stration@MM virus
- %SYSTEMDIR%\e1.dll ( 8192 bytes ) W32/Stration@MM virus
The dll files are injected into the process "explorer.exe". The worm the following registry keys.
- hkey_local_machine\software\microsoft\windows nt\currentversion
\windows\appinit_dlls=" icaacsrs.dll e1.dll"
It attempts to download files from the following sites.