Worm that disarms security software

Stration.C is an email-based worm that downloads malicious files from the Internet and disables security software.

The Stration.C worm collects the e-mail addresses needed for its spread from the Windows address book and from files with different extensions on infected computers. The worm creates a number of files and modifies the registry. It then tries to disable security software — especially firewalls — in order to be able to download files freely from the Internet.

When Stration.C starts, it performs the following actions:

1. Create the following files:
% Windir% \\\ smb.exe
% Windir% \\\ smb.dll
% Windir% \\\ smb.wax
% Windir% \\\ smb.gfx
% System% \ acac.dll
% System% \ corpdpvv.exe
% System% \ d3diusp1.dll
% System% \ fldrtsd3.dll
% System% \ sisbmsxb.dll
[random numbers] .tmp

2. The registration database
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentV ersion \ Run
adds to your key
“rsmb”=”%Windows%\\\smb.exe s”.

3. Add the following entry to the registration database:
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon \ Notify \ acac

4. The registration database
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Windows
adds to your key
“AppInit_DLLs”=”sisbmsxb.dll fldrtsd3.dll”.

5. Stops the services associated with the security software.

6. Download and launch a file.

7. Collects email addresses from the Windows Address Book and files with different extensions. He forwards himself to these.

The subject of infected leaves may be:
Hello
picture
Server Report
Status
test
Good day
Error
Mail Delivery System
Mail Transaction Failed

Files with .log, .elm, .msg, .txt, or .dat file extensions can be named:
body
date
do
docs
document
fillet
message
readme
test
text