( Win32/Stration, Win32.HLLM.Limar, Win32/Stratio, Win32/Strati)
Unknown processes running from the System32 directory with names like FFFFFFFFFF.exe or wwwwwwwwww.exe (name composed of 10 random characters).
Please let BitDefender disinfect your files.
Dan Lutas, virus researcher
This malware is composed of two parts :
- A dropper with the size of 30212 bytes packed with UPX. This drops the dowloader component (described below) in the System32 directory with a random name like FFFFFFFFFF.exe or wwwwwwwwww.exe and executes it.
- The downloader component has a size of 13824 bytes. Upon execution it shows a fake error message with the text "Unknown error" which has the purpose of misleading the user into believing that the executable did not run. Then it will wait until an internet connection is available, download an executable from a predefined URL and execute it. The downloading is done with the Winsock functions, and because of that it will fail if a given computer needs to go through a predefined proxy server to access the Internet.