Threat Detail

  • Malware Type: Virus
  • Malware Sub-type: Dropper
  • Protection Added: 2006-09-25

-- Update October 26, 2006 --

Another variant of this worm is in the wild. Please view the characteristics tab for more information on this latest variant.

-- end update --

The W32/Stration.dr virus drops the mass mailing worm W32/Stration@MM. that uses its own SMTP engine to send itself to the email addresses that it harvests on the infected computer. The W32/Stration.dr is written using Microsoft Visual C++ and also contains functionality to connect to a remote web server to download a file.

Minimum Engine


File Length


Description Added


Description Modified


Malware Proliferation

fpo-ti-severity-legend logo-new-mcafee

-- Update October 26, 2006 --

This latest variant downloads binary files from different URLs from those in the past. The current URLs in use are listed below:[hidden][hidden]

Other URLs are believed to be in use and will be updated here as soon as possible.

Once executed this latest variant displays the fake "error" error message below:


Email attachment filenames differ between two typical types:

1. Spoof "update" filenames using the following convention:


Where [number] is seemingly random to represent a knowledge base number relating to a patch or similar and where [extension] is either .exe or .zip.

2. Double extension filenames using the following convention:


Where [stub] includes, but is not limited to test; text; doc; body; docs; document. Where [ext1] is one of txt; dat; msg and [ext2] is one of bat; cmd; exe.

-- end update --

There are several variants of this worm. The characteristics of this worm with regard to filenames, registry keys, domain, etc will differ. Hence, this is a general description.

Upon execution, the worm opens notepad and display a text file with random characters:


It creates a copy of itself into the Windows directory:

  • %WINDIR%\t2serv.exe ( 117363 bytes )

(Where %WinDir% usually refers to the c:\windows\ directory)

Then it drops the following files.

  • %SYSTEMDIR%\rsmpmsim.exe ( 12288 bytes ) W32/Stration@MM virus
  • %SYSTEMDIR%\cdoskbdu.dll ( 20480 bytes )  W32/Stration@MM virus
  • %WINDIR%\t2serv.dll ( 6656 bytes )        W32/Stration@MM virus
  • %SYSTEMDIR%\icaacsrs.dll ( 28672 bytes )  W32/Stration@MM virus    
  • %SYSTEMDIR%\e1.dll ( 8192 bytes )         W32/Stration@MM virus
  • %WINDIR%\t2serv.wax

The dll files are injected into the process "explorer.exe". The worm the following registry keys.

  • hkey_local_machine\software\microsoft\windows\currentversion\run
    \t2serv="%WINDIR%\t2serv.exe s"
  • hkey_local_machine\software\microsoft\windows nt\currentversion
    \windows\appinit_dlls=" icaacsrs.dll e1.dll"

It attempts to download files from the following sites.

  • www2.vertionkdase<REMOVED>.com
  • www3.vertionkdase<REMOVED>.com
  • www4.vertionkdase<REMOVED>.com
  • www6.vertionkdase<REMOVED>.com

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

But in some particular cases, the following steps need to be taken.

Please go to the Microsoft Recovery Console and restore a clean MBR.

On Windows XP:

  • Insert the Windows XP CD into the CD-ROM drive and restart the computer.
  • When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
  • Select the Windows installation that is compromised and provide the administrator password.
  • Issue 'fixmbr' command to restore the Master Boot Record
  • Follow onscreen instructions.
  • Reset and remove the CD from CD-ROM drive.

On Windows Vista and 7:

  • Insert the Windows CD into the CD-ROM drive and restart the computer.
  • Click on "Repair Your Computer".
  • When the System Recovery Options dialog comes up, choose the Command Prompt.
  • Issue 'bootrec /fixmbr' command to restore the Master Boot Record.
  • Follow onscreen instructions.
  • Reset and remove the CD from CD-ROM drive.
For further information regarding the Method of Infection please see W32/Stration@MM description.

-- Update October 26, 2006 --

HTTP traffic or DNS requests to the URLs mentioned on the characteristics tab.

DNS MX record requests for some known mail servers.

-- end update --

  • Existence of mentioned files and registry keys