Jump to content


Photo

Stration/Warezov worms prolific


  • Please log in to reply
14 replies to this topic

#1 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 31 October 2006 - 01:12 PM

FYI...

- http://www.techweb.c..._section=700028
October 31, 2006
"The wildly prolific Stration worm cracked October's top 10 list of most prevalent malware, a security company said Tuesday, using extremely aggressive, if not original, tactics. Two variants of the Station worm -- also called "Warezov" -- made Sophos' top 10 for the month. According to the U.K.-based vendor, "several hundred" versions of the worm were spammed to users during the month, with the family accounting for more than half of all reported malicious code on some days. The versions grabbed the number three and number six spots on the list..."

- http://www.sophos.co...tober-2006.html
31 October 2006
"...variants of the Stratio worm (also known as Stration or Warezov) have entered the top ten for the first time. Several hundred variants of the worm were widely spammed out during the month, on some days accounting for more than 50% of all reported malware... 'Home users who haven't installed or updated their anti-malware protection remain the most vulnerable targets..'..."

.
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#2 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 07 November 2006 - 02:15 PM

FYI...

- http://www.techweb.c..._section=700028
November 07, 2006
"...The Stration worm, aka Warezov, has been topic number one for anti-virus firms for almost three months, but until recently they hadn't figured out that the malware kicks into second gear about six hours after it's installed. Then, said Reston, Va.-based VeriSign iDefense, it begins sending massive amounts of spam touting Viagra, Xanax, and Propecia prescription medicines. "Lots of AV vendors have been saying that Stration doesn't have a payload," said Mike La Pilla, an iDefense analyst. "But it does. It just takes six hours. Then it contacts a different domain, downloads a spamming Trojan, and starts sending mail." If a user launches the file attached to the original e-mail, a small Trojan downloader executes, searches out the domain of a remote server, and downloads the Stration/Warezov worm. Stration, in turn, then replicates by grabbing e-mail addresses off the compromised system. Only later does it seek out a second domain for the spam bot... The worm not only harvests e-mail addresses, but also collects ICQ contacts it finds on the infected PC. "Most of these [ICQ-caused infections] are in Russia, Estonia, Latvia, and the like," said La Pilla, in large part because the IM client is most popular in Eastern Europe. Few anti-virus vendors noticed the ICQ angle, said La Pilla; exceptions were Grisoft, a Czech-based security company that markets the AVG line, and ESET, a Slovakian anti-virus company that produces NOD32. The circumstantial connection between Stration and the rapid rise in spam rates for October got a bit stronger Tuesday as the SANS Institute's Internet Storm Center correlated the increase in spam volume with a considerable jump in the number of infected systems Internet-wide*..."
* http://isc.sans.org/...hp?storyid=1828

> MessageLabs report: http://tinyurl.com/ylkutb

:grrr:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#3 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 14 November 2006 - 04:42 PM

More...

Connecting the Warezov domain dots
- http://www.f-secure....6.html#00001018
November 11, 2006
"...when comparing the domain names used in the virus to domains shown in the spam messages, we can see that they overlap, proving that these are all part of single operation (see the URL above for the list)... The Warezov operation started in the middle of August 2006 and continues to this day. Two more things:
1) No, we don't know if these domain names mean something in some language.
2) The case is under police investigation."
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#4 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 22 November 2006 - 06:34 AM

FYI...

Online Scanner Top 20 for October 2006 - Kaspersky
- http://www.viruslist...pubid=204791906
Nov 01 2006
"...In October Warezov accounted for 27% of all viruses detected in mail traffic and over 15% of viruses in the online rankings..."


:ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#5 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 27 November 2006 - 06:44 PM

FYI...

Zero day Warezov
- http://www.f-secure....6.html#00001032
Monday, November 27, 2006
"We've added detection for the following variants, and there are probably more on the way:
W32/Warezov.HB
W32/Warezov.HC
W32/Warezov.HD
W32/Warezov.HE
W32/Warezov.HF
W32/Warezov.HG
W32/Warezov.HH
W32/Warezov.HI
W32/Warezov.HJ ...

...See the list*
* http://www.f-secure....re_domains.html
"Domains known to be used by Warezov variants for downloading..."
EDIT - > List current as of — November 30, 2006

:ph34r:

Edited by apluswebmaster, 30 November 2006 - 01:22 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#6 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 26 December 2006 - 05:58 AM

FYI...

Happy New Warezov
- http://www.f-secure....6.html#00001059
December 25, 2006
"A new Warezov spam run is underway, using a "Happy New Year" postcard as a disguise. The attachment is called postcard.zip and the text of the message says:
Hi, you’ve just received a postcard.
For: (your email address)
From: ---
Text: Happy New Year!
Postcard:
Click on attachment to view a postcard.
When run, the malware connects to www6. easeruikingandefunjs. com ( DO NOT VISIT) and downloads a Warezov variant. We detect this now as Trojan-Downloader.Win32.Small.edn."

:eek:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#7 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 29 December 2006 - 08:27 AM

FYI...

- http://isc.sans.org/...hp?storyid=1987
Last Updated: 2006-12-29 13:58:47 UTC
"..."postcard.exe" is currently being spammed in EMails with the subject "Happy New Year". AV coverage is still thin.
MD5: 4adf7a3719c485a4e482498874b6695f
> Update 1105UTC: AV protection coming online, Trojan-Downloader.Win32.Tibs.jy (Kaspersky), W32/Dref-U (Sophos) W32.Nuwar.AY (TrendMicro)."

Also:
- http://www.f-secure....6.html#00001061
December 29, 2006

:eek:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#8 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 06 January 2007 - 09:12 AM

FYI...

Virus Top Twenty for December 2006
- http://www.viruslist...pubid=204791914
Jan 02 2007
"Position Change in position Name Percentage
1. New! New Email-Worm.Win32.Warezov.fb 19.41
2. Return Return Email-Worm.Win32.Warezov.dn 9.88
3. New! New Email-Worm.Win32.Warezov.hb 9.57 ..."

:!:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#9 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 16 January 2007 - 09:00 AM

FYI...

- http://www.f-secure....7.html#00001081
January 16, 2007
"After a relatively short period of inactivity, Warezov has returned with about a dozen new variants in the last 24 hours. Variant KA received its moniker at the end of yesterday with update 2007-01-15_13. There is also a new domain to block: ertikadeswiokinganfujas.com. You'll find a more comprehensive list here*."

* http://www.f-secure....re_domains.html

.
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#10 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 17 January 2007 - 11:06 AM

More...

- http://www.virusbtn..../2007/01_16.xml
16 January 2007
"... The latest variants show once more the organisation and determination of the criminals behind the worm family, which has been consistently tweaked and evolved in a series of waves to minimise detection from security software and maximise infection rates. The latest variants of the worm typically arrive in (e)mails claiming to include an attached postcard, or with Unicode content contained in an attached file..."

> http://www.virus-rad.../index_enu.html


:!:

Edited by apluswebmaster, 18 January 2007 - 06:11 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#11 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 23 January 2007 - 10:39 AM

More "Stration" (Warezov) variants just about every day now...

See: http://www.virus-rad.../index_enu.html



:eek:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#12 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 03 March 2007 - 05:11 AM

FYI...

- http://www.f-secure....7.html#00001130
March 3, 2007 ~ "New Warezov run has been going on for some hours now. The emails seem to be constant and look like this:

'Do not reply to this message

Dear Customer,

Our robot has fixed an abnormal activity from your IP address on sending e-mails. Probably it is connected with the last epidemic of a worm which does not have patches at the moment. We recommend you to install a firewall module and it will stop e-mail sending. Otherwise your account will be blocked until you do not eliminate malfunction.

Customer support center robot
'

The attachment is a ZIP file which contains a static EXE file. The name varies, but it's always like
Update-KBrandom numbers-x86.exe. MD5 is 2A9D6942D891F534E288830F6EA52615."

:eek:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#13 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 22 March 2007 - 03:00 PM

FYI...

Malicious Code: New Warezov spreading via Skype
- http://www.websense....php?AlertID=757
March 22, 2007
"Websense Security LabsTM has discovered a new set of the Warezov/Stration malicious code. This new code is currently spreading through the Skype network. Although the code itself is not self-propagating, when it runs, a URL is sent to all users within the user's Contacts List. This attack appears to be the same as the version mentioned on the F-Secure Blog Feb 27th, http://www.f-secure....7.html#00001126 , but with new URL information and a new version of the malicious code.
Skype users receive a message that says "Check up this," with a URL containing a hyperlink. When users click on the link, they are redirected to a site that is hosting a file named file_01.exe. Users are prompted to run the file (note: there is no vulnerability within Skype). If the user runs the file, several other files are downloaded and run. The files listed below are loaded from different domains. These domains were up and running at the time of this alert.
1e61617b7498c5cad41c4d26b8e4ca8c file_01.exe
7c2b181ab4fbe858e22bbbdc725e4f53 gdi32.exe
7306bed6c39560ed78fe67cfc5e643c8 ndis.exe
5262a217d2ca7f28be6fc398d8f8aee3 sk.exe
The user's contacts also receive the URL within Skype. Once the Trojan is installed in a system, it tries to connect to a Yahoo mail server to send an SMTP message. However, that server does not seem to be operative and the communication fails. This inoperability is probably an attempt to notify the attacker that a certain machine has been infected.
The downloaded files are other versions of the Warezov/Stration malicious code. This code opens backdoors to the users systems and also downloads new code."

(Screenshot available at the URL above.)

:eek:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#14 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 03 April 2007 - 01:23 PM

FYI...

Warezov Returns
- http://www.f-secure....7.html#00001160
April 3, 2007 ~ "Hot on the heels of the new ANI exploit is a new Warezov sample. No variations were seen from the e-mail samples received and they all look like this*... The attachment is a ZIP file that contains an executable file. The filename is in the form of Update-KB[random numbers]-x86.exe ..."

* (Screenshot available at the URL above.)

:eek:

Edited by apluswebmaster, 03 April 2007 - 01:25 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#15 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 19 April 2007 - 03:04 AM

FYI...

- http://www.f-secure....7.html#00001172
April 19, 2007 ~ "It's been awhile since the last attack of the Warezov gang. But it seems now they're back in action... e-mail of the new Warezov... being spammed... The zip file attachment contains an executable file that uses a text file icon as a decoy (Update-KB4765-x86.exe)... This executable file is a downloader for its other components. The link is encrypted with a simple XOR. For system administrators, you may want block network traffic from the following malicious link: linktunhdesa .com /h[REMOVED]2.exe ..."

(Screenshots available at the F-secure URL above.)


:eek:

Edited by apluswebmaster, 19 April 2007 - 03:06 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.




Member of UNITE
Support SpywareInfo Forum - click the button