Stration worm masquerades as security patch

A new version of the Stration worm has been engineered to infect computers by posing as a computer update, a security vendor has warned.

Sophos said that its latest reports showed that Stratio-AN is "rapidly spreading".

"The Stratio-AN worm has been aggressively distributed by its author since the early hours of Monday morning," said the firm in a statement.

"It spreads via email using a variety of disguises, including an example which ironically poses as a warning that the recipient's computer is infected by a worm."

One version of Stratio-AN uses the email subject line 'Mail server report' and warns users that their PC is sending out emails containing the worm.

The bogus customer support service email contains a zipped file with the name 'Update-KB7859-x86.zip', which installs the worm on the user's PC.

"This new offspring of Stration is hitting email gateways hard, attempting to infect unsuspecting computer users," said Graham Cluley, senior technology consultant at Sophos.

"Anyone accessing their email has to learn to resist the temptation of opening unsolicited attachments, and ensure that their anti-malware protection is kept fully up to date."

Sophos explained that the worm is using the disguise of a security warning to play on concern about an unpatched vulnerability in Microsoft's software.

"Many Windows users are waiting anxiously for Microsoft to fix the VML flaw in its code, which has been exploited by hackers," said Cluley.

"It is possible that those behind the Stration worm are playing on the internet community's heightened concern over being left unprotected by Microsoft."

Cluley stressed that users should only ever get security patches from the vendors' official websites, and that users should not rely on patches emailed to them "out of the blue".

"A legitimate vendor would never send them to you and in an ideal world you would always go to the vendor who has got the problem for the fix," Cluley told vnunet.com.

However, Cluley acknowledged that there are times when third-party patches could help, as long as they are from respectable sources.

He referred to the unauthorised patch from Zert for the Microsoft VML flaw, describing the Zert researchers as "upstanding, decent, competent security people".
"It is not as if that patch has come out of the blue and it's Fred Flintstone on the internet. Zert has more credibility than that," he said.