Stration worm targets Windows machines

Antivirus vendors are warning customers to avoid unsolicited email attachments as another worm takes aim at Windows machines. Some vendors have named the worm Stration, while others are calling it Warezov.

Sophos has said in an advisory that W32.Stration-AN has been "aggressively distributed" by its author since early on 25 September. It travels by email using a variety of fake messages, one of which is an infection warning with the following characteristics:

Subject line: Mail server report.

Message text: "Mail server report. Our firewall determined the e-mails containing worm copies are being sent from your computer. Nowadays it happens from many computers, because this is a new virus type (Network Worms). Using the new bug in the Windows, these viruses infect the computer unnoticeably. After the penetrating into the computer the virus harvests all the e-mail addresses and sends the copies of itself to these e-mail addresses Please install updates for worm elimination and your computer restoring. Best regards, Customers support service."

Attached file: Update-KB7859-x86.zip [which contains the file Update-KB7859-x86.exe]

Sophos Senior Technology Consultant Graham Cluley said the worm was "being seen widely" at email gateways . "Anyone accessing their email has to learn to resist the temptation of opening unsolicited attachments, and ensure their anti-virus protection is kept fully up-to-date," he said in a statement.

Cluley said the worm may be using the fake security warning to exploit fears over the Internet Explorer VML flaw, which has been the target of multiple attacks in recent days.

"Many Windows users are waiting anxiously for Microsoft to fix the VML flaw in its code, which has been exploited by hackers online," Cluley said. "It's possible that the people behind the Stration worm are playing on the Internet community's heightened concern while they are left unprotected by Microsoft, and may be able to fool innocent users into rushing into running the malicious update."

The lesson, he said, is that users should only expect security updates to come via the vendor's official Web site, not as unsolicited email attachments.

Russian antivirus firm Kaspersky Lab is calling the worm Warezov-AT and labeled it a severe risk in its advisory because it is "spreading rapidly."

"The worm sends itself to addresses harvested from the MS Windows address books," Kaspersky Lab said. "The worm uses its own SMTP library to send infected messages."

Cluley and Mikko Hypponen, chief research officer for Helsinki, Finland-based F-Secure, confirmed by email Monday that Stration and Warezov is the same worm. Like Kaspersky Lab, F-Secure is calling it Warezov.