Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

'Stration' Worm Spawns Sneak Attacks

Anti-virus vendors missed the fact that the most massive worm attack in months has a secondary payload that has sent millions of pharmaceutical spam messages, a security intelligence company revealed Tuesday.

The Stration worm, aka Warezov, has been topic number one for anti-virus firms for almost three months, but until recently they hadn't figured out that the malware kicks into second gear about six hours after it's installed. Then, said Reston, Va.-based VeriSign iDefense, it begins sending massive amounts of spam touting Viagra, Xanax, and Propecia prescription medicines.

"Lots of AV vendors have been saying that Stration doesn't have a payload," said Mike La Pilla, an iDefense analyst. "But it does. It just takes six hours. Then it contacts a different domain, downloads a spamming Trojan, and starts sending mail."

If a user launches the file attached to the original e-mail, a small Trojan downloader executes, searches out the domain of a remote server, and downloads the Stration/Warezov worm. Stration, in turn, then replicates by grabbing e-mail addresses off the compromised system. Only later does it seek out a second domain for the spam bot.

Stration's been pegged by many analysts as the malware behind a recent explosion in spam rates, and in the number of bots detected on the Internet. IDefense's analysis, La Pilla said, backs that up.

  • 1