Stration.D sails through undetected :-(

Not too impressed with this.

I got a strange looking email yesterday and although I was suspicious about it, I thought it would be OK to *carefully* inspect it. Stupid, in hindsight.

It arrived in my mailbox completely undetected by Nod32 (2.5 with 1.1774 20060925 signature database).

The attachment was a .zip file called message.zip. I detached it to the desktop and scanned the file manually. Clean, says Nod32. So I open the zip file. In there is a single item, message.dat. You can't execute a .dat file, right? So I thought I would drag the file to my desktop and have a look inside it with a hex editor I use. Bad idea!

It turns out the file was actually called message.dat.pif and dragging it to the desktop ran it instantly and infected my machine. I spent most of yesterday running various on-line virus scanners to get my machine clean again. (I didn't trust Nod to clean the machine since it had so spectacularly missed it in the first place.)

I know in hindsight my actions were pretty stupid. But hindsight is 20:20 vision. More important, why didn't Nod offer my ANY assistance at all here?

Stration.d is a known worm and is detected by all the major AV packages. Nod claim protection against Stration.d - although its not listed in the current virus database.

I pay money for Nod32 (rather than just use a free alternative) because I was under the impression it gives me better (the best?) protection.

Am I mistaken? Is Nod32 actually not very good?

Not very happy,

Chippy

 

Was NOD set up as per Blackspears tutorial?

~snip~ replaced tinyurl ~ Blackspear: https://www.wilderssecurity.com/showthread.php?t=37509

Also, have you submitted the file to ESET?

 

It is very strnage because NOD32 has detections for this in
1.1773 (20060925)
1.1768 (20060922)
1.1767 (20060921)
1.1766 (20060921)
1.1724 (20060824)

Moreover , other variants should be detected via the heuristics

Although this message really smells of infection , how do you know it is a real threat . It is important to check your settings to verify if they are ok . Perform full scan from Control Center -> NOD32 -> Run NOD32 -> Scan&Clean

Please , send the ZIP file of the suspected message to the Lab-> samples@eset.com

 

Thanks for your replies. Yes, my setup is exactly as Blackspears tutorial. Its been setup like that since I first installed it.

How do I know it was a virus?

Good point, but it was detected as such by Kaspersky and then by Bit Defender.

Very unfortunately, I cannot send a copy because Bit Defender went and deleted it without prompting.

Chippy

 

Good news this crap has been cleaned for you but in order this variant to be detected , ESET should have a sample of it , analyze it and push an update if neccessary.
If you find some way , pls submit it to ESET Labs samples@eset.com

Thanks for letting us know !

 

Yeah I understand you need a sample. I was very surprised that the online scan from Bit Defender just went and deleted the file without asking. I had already deleted the email as I thought I would just keep the file.

So we are out of luck :-(

Chip

 

You must be using an outdated version, NOD32 is among the first to detect it, if it slips through heuristics.

AntiVir 7.2.0.18 09.26.2006 no virus found
Authentium 4.93.8 09.25.2006 no virus found
Avast 4.7.892.0 09.26.2006 no virus found
AVG 386 09.25.2006 no virus found
BitDefender 7.2 09.26.2006 no virus found
CAT-QuickHeal 8.00 09.25.2006 no virus found
ClamAV devel-20060426 09.26.2006 no virus found
DrWeb 4.33 09.26.2006 no virus found
eTrust-InoculateIT 23.73.5 09.26.2006 no virus found
eTrust-Vet 30.3.3100 09.25.2006 Win32/Stration.BP
Ewido 4.0 09.26.2006 no virus found
Fortinet 2.82.0.0 09.26.2006 no virus found
F-Prot 3.16f 09.25.2006 no virus found
F-Prot4 4.2.1.29 09.25.2006 no virus found
Ikarus n - no virus found
Kaspersky 4.0.2.24 09.26.2006 no virus found
McAfee 4859 09.25.2006 no virus found
Microsoft 1.1603 09.26.2006 no virus found
NOD32v2 1.1776 09.26.2006 Win32/Stration.EV
Norman 5.90.23 09.25.2006 no virus found
Panda 9.0.0.4 09.25.2006 no virus found
Symantec 8.0 09.26.2006 no virus found
TheHacker 6.0.1.081 09.26.2006 no virus found
UNA 1.83 09.25.2006 no virus found
VBA32 3.11.1 09.25.2006 no virus found
VirusBuster 4.3.7:9 09.25.2006 no virus found

Try the following:
- download the latest version of NOD32 from our website (the full version already comes with the update 1.1776 so there's no need to update it after installation)
- immediately after the next restart, start Windows in safe mode and run a full system scan
- finally reboot the computer

 

Doesn't look like an old version to me?

 

It does to me; however, this person would have been one of the first lucky recipients in the world to receive this worm.

What one day can make sometimes, and this is that day that you want NOD32 up to date and hungry for a feast.

Cheers

 

When I said it didn't look outdated, I took into account that the OP stated he got the file yesterday (25th) and at that time ran virus definitions from the 25th.

So, presumably, he was as updated as he could be at the time, and just unlucky. No definition available yet and heuristics missed the strain.

 

Correct, someone has to be the first, and there are no prizes for being such

Cheers

 

I heard from a guy from another AV company that they had received more than 500 variants of the worm within a single day.

 

I received till today 3 variants in may mail box and all were detected heuristically by NOD32. One was today.

 

Oh is it? There are numerous of older versions which are mew packed and some of them going completely undected by all av programs. However, these versions are not widely spreaded and it's difficult to keep track with versions here since you have many of them. Another thing is that this worm drops components, so it is possible that some undected component is a dropped part.

 

I have a hunch that this will change shortly, at least for NOD32 users and hopefully for yours as well

 

good news Marcos! Anyway, I see you're covering this threat by heuristics very well till now. (and by signatures also)

 

Sorry I have missed the latest posts here.

@Mascot: Absolutely right, I was bang up-to-date with signature files at the time the virus hit.

Since then, I have managed to get hold of a copy of the virus. (I managed to "undelete" the deleted file with a utility I have.

Interestingly, with today's signature file (1.1781 20060928 ) Nod picks it up straight away. Shame it didn't do that in the first place!

Anyway, I will send it to you guys for inspection when I finish typing here.

Cheers

Chippy

EDIT: File sent for analysis.

 

Incidentally, now 1.1781 is detecting this virus OK, can I be sure that my system is clean? I have all the Nod settings up to the max and done an "In Depth Analysis" and it comes up clean.

Does this mean I can be sure my system doesn't have any nasties lying around after the infection?

In particular, I do online banking and I have been very reluctant to log onto any of my financial websites following this virus attack.

Am I being paranoid?

Cheers

Chippy

 

Chippy you're ok now if you have all the amximum settings
Strange they've added it only today. Anyway, if you happen to come across other viruses not detected send them from the first day as they may add it faster.

 

I think that what they have added today is an update for the generic detection for this threat since it was previously detected in 1.1773 , 1.1768 , 1.1767 , 1.1766 , 1.1724 .

Anyway , good to see we are protected against this worm

 

Well, I don't exactly what as Chippy reffering to with "detecting this virus OK"
Detecting it with definition instead of heuristics or it was not detected at all since now and ESET added it.

 

don't suppose you can elaborate further on this could you...?

 

Just to clarify, I haven't changed any Nod32 settings. I have had it set up as per Blackspears recommendations for many months (years?).

With virus signature 1.1774 20060925, this virus is not detected at all, even by an "in depth analysis" scan. So clearly neither the heuristics, nor the signature file would detect it.

With virus signature 1. 1781, Nod detects it immediately. Either by right-clicking on the file and manually testing it, or by running a full scan. (I didn't dare risk testing it by actually opening the zip file!) Whether some improvement to the heuristics has been made, or whether the later signature file has explicit information about this virus, I do not know.

I don't know whether anything prior to 1.1781 would pick it up because I only yesterday managed to retrieve a copy of the virus to test.

Chippy

 

Thanks for clarifying the issue. Anyway, which is the name of the virus exactl?
You can search it in NOD32 database to see when was it added.

See here: www.nod32sse.com

 

Kaspersky and others identified it as Win32/Stration.D... er, hence the title of the thread ;-)

Nod now identifies it as Win32/Stration.EM worm.

Interestingly enough, you can see "Win32/Stration" listed in the link you provided above, under the 1.1781 update - dated 28th September. i.e. 2 days *after* I got infected.

I find that interesting since HighTechboy said that Nod has detection from Stration in since 1.1724, back in August.

Chip