w32/stration

Well that was fun…
I just spent 5 days cleaning my system out from this worm. AVAST free edition didnt EVER pick it up, so I installed AVG, it picked up the worm - but couldnt find the dropper!

In the end - I had to install PREVX1 to block it, and then slowly but surely go through my system checking ALL my files to find the bleeding dropper - and the only way I could do this? I had to set the columns to show the date of creation and modification!

Just for info, it turned out to be a copy of NOTEPAD which I had to delete and then replace with a copy from the original sp1 version from CD just to make sure!

Any reason why AVAST didnt pick up anything?

The virus goes by different names on diff sites, :
Email-Worm.Win32.Warezov.a (Kaspersky)
W32.Stration.A@mm (Symantec)
W32/Spamta.A.worm (Panda)
W32/Stration-A (Sophos)
W32/Stration.A (Norman)
W32/Stration@mm (Fortinet)
Win32/Stration.A (ESET)
Worm.Stration.A (ClamAV)
WORM_STRATION.A (Trend Micro)

Hi general chaos,

Here is a routine for cleansing W32/stration

  • Download Dr.Web CureIt to the desktop:
    ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

    • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
    • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
    • Once the short scan has finished, mark the drives that you want to scan.
    • Select all drives. A red dot shows which drives have been chosen.
    • Click the green arrow at the right, and the scan will start.
    • Click ‘Yes to all’ if it asks if you want to cure/move the file.
    • When the scan has finished, look if you can click next icon next to the files found:
    • If so, click it and then click the next icon right below and select Move incurable as you’ll see in next image:
      IPB Image attached down
      This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can’t be cured. (this in case if we need samples)
    • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
    • Save the report to your desktop. The report will be called DrWeb.csv
    • Close Dr.Web Cureit.
    • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
    • After reboot, post the contents of the log from Dr.Web you saved previously, along with a new HijackThis log in your next reply.

polonus

You possibly got infected by a very new variation. Please send it to virus[at]avast.com in a password protected .zip file, along with a short decription and the password to un-zip the file.

As a matter of fact, avast already detects dozens of Win32.Warezov (that’s what they call it) variations and new ones are added to the virus database almost daily.
See here: http://www.avast.com/eng/vps_history.html
Virus description: http://www.avast.com/eng/win32-warezov-family.html

Heres the news guys … Avast still cant’ handle it five days later!!

My sons machine is infected with what Avast identifies as Warezov-LE. It spots it and moves it to the chest, but after a reboot it reappears. Avast is not picking up the root dropper.

After 18 months of telling everyone how wonderful Avast and Alwil are, I am beginning to have my doubts.

As a side comment, Symantec has a general how to remove Warezov section, but this variant does not have the same registry entries that they identify.

Why is Alwil doing so bad (again) with signatures updates…?

It’s a pity :cry: :-\

Will DrWeb CureIT! be able to deal with this infection? See http://download.drweb.com/drweb+cureit/

:slight_smile: Hi :

 Should NOT expect Avast to deal with every piece of 
 malware coming through the phone lines; should have a
"layered" defense, which includes antiSPYWARE program(s),
 antiTROJAN program(s), a 2-way firewall and at least one
 rootkit detection program.

This link gives a bad file, but if you go to the drweb site it will lead you to another link which is downloading very slowly, but then i guess it is very busy too …

Easy for you to say … Mebbe thats fine for the cerebral user, but I dont even know what it means after thirty plus years in IT!

I think, I have it fixed … but …

  1. Avast sees the created files & handles them, but it doesn’t stop the mailer sending out emails, it just keeps trapping the executable …

  2. Having a very good idea of when the infection occurred, I ran a Search on Windows/System32/ and looked for files created in that 24 hour period and set them up for Deletion by Dr. Delete

  3. Then I ran Dr. Web Cureit … that didnt pick up Stration/Warez, but it did find 18 other “items” that Avast doesn’t see mebbe one or more were related?

  4. Then I ran AVG, and it found what it identified as a Stration.

  5. As it was the middle of the night and the only other thing I had to do was sleep, I then reran Cureit, and then another AVG scan. Both came up clean.

Now, fingers crossed …

Can I send a file from the AVG chest to Avast? Would it help

3) Then I ran Dr. Web Cureit .... that didnt pick up Stration/Warez, but it did find 18 other "items" that Avast doesn't see mebbe one or more were related?

I think Drweb is identifying Warezov/Stration as Win32.HLLM.Limar:

http://forum.avast.com/index.php?topic=24322.msg199618#msg199618