Stration author gets “Muppet of the Day” award

The latest sample of Stration uses social engineering on several levels, including pretending to the be the Notepad application by using its icon (many previous Stration samples have done this) and arriving in a file called “Video_fragment.zip”.

However today’s sample does not even execute. This because, in a effort to obfuscate the code, the author has modified the physical addresses and sizes in the Portable Executable (PE) file’s section tables such that they are not aligned to the physical alignment value specified in the file’s PE header. Non-aligned section addresses do not conform to the standard Portable Executable requirements. Hence the Windows loader interprets the file in such a way as to cause execution to start in a completely different place from that expected by the author. Therefore the program simply crashes in an ignominious manner.

Notwithstanding, the broken sample is detected as W32/Stration-AV to stop the initial seeding of the sample at email gateways.