Trojan Disguised as a Microsoft Security Patch

The security experts from Avira announced that there is a Trojan in circulation, “TR/Dldr.Stration.C”, since last night. This Trojan was sent via email in the wee hours of the morning. After the user had started the computer, the Trojan will download and activate a worm already known as “Worm/Stration.C”: The infected email will then disguise in an administration email. Moreover, the email has an attachment and can be recognized after the following English subjects:
• Error
• Good day
• hello
• Mail Delivery System
• Mail Transaction Failed
• picture
• Mail Server Report
• Status
• test “Mail server report”

The file names of the attachments are very much alike the typical Microsoft patch programs like for instance: "Update-KB%Nummer%-x86.exe" or "Update-KB%Nummer%-x86.zip" whereby the placeholder is an incidental number. Furthermore, a Windows mask will pop up showing the following message: “Update successfully installed”.

“Within a few hours after the outbreak, our special observation networks, the so called traps, already contained more than 4000 copies of the Trojan. In this way we came to the conclusion that the malware was spreading strongly and very rapidly”, explains Gernot Hacker, Security Expert at Avira. “Through the new heuristic AHeAD, Avira AntiVir was able to proactively detect 36 different variants of the Trojan and to ward off reliably. Particularly these kinds of Trojans are used very often for attacks in order to infiltrate programs into the computer where they can procure the access for further criminal attacks. In the majority of cases, the users don’t even notice anything.

The affected systems are Windows operating systems running on Windows 95, 98, 98 SE, Windows NT, Windows ME, Windows 2000, Windows XP und Windows 2003.