Win32/Stration.DH@mm!CME-416 is a mass-mailing email worm that attempts to download a file from a remote website. Win32/Stration.DH@mm!CME-416 sends itself to addresses obtained from a wide range of file types found on the infected system. The e-mail message composed by Win32/Stration.DH@mm!CME-416 may masquerade as one of the following failure messages:
Mail transaction failed. Partial message is available.
The message contains Unicode characters and has been sent as a binary attachment.
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment
The Win32/Stration.DH@mm!CME-416 e-mail message may also masquerade as a scanning tool, as follows:
Mail server report.
Our firewall determined the e-mails containing worm copies are being sent from your computer.
Nowadays it happens from many computers, because this is a new virus type (Network Worms).
Using the new bug in the Windows, these viruses infect the computer unnoticeably. After the penetrating into the computer the virus harvests all the e-mail addresses and sends the copies of itself to these e-mail addresses
Please install updates for worm elimination and your computer restoring.
Best regards,
Customers support service
The Win32/Stration.DH@mm!CME-416 attaches a copy of itself as an attachment to the email, using one of the following filenames:
body
data
doc
docs
document
file
message
readme
test
text
Update-KB%random_numbers%-x86 (where %random-number% indicates a series of numbers)
Win32/Stration.DH@mm!CME-416 may use a double extension ruse, in which the filenames may be appended with one of the following:
.log
.msg
.txt
The Win32/Stration.DH@mm!CME-416 attachment has one of the following actual extensions:
.exe
.scr
.zip
Upon infection, Win32/Stration.DH@mm!CME-416 drops the following files into the Windows folder (typically C:\Windows\):
mswiizz32.dat
mswiizz32.wax
Drops the file "e1.dll" in the Windows system folder (typically C:\Windows\System32).
In order to load when Windows is started, Win32/Stration.DH@mm!CME-416 modifies the system Registry as follows:
Creates value: "mswiizz32"
with data: "%windir%\mswiizz32.exe s"
in registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
