The Win32/Stration family of worms has kept ESET's analysts busy over the last few days; but last night, with close to 50 variants being released in one go, they were able to go home and get some sleep. Why? Well, last night they created a ThreatSense Heuristic Update which allowed them to catch all the subsequent variants that came out.
Win32/Stration is a family of mass mailing worms, and there are many variants. A general description can be found here Although there is always a lot of malware flying about, the internet is currently struggling with one of the biggest virus epidemics of the past few months. Not only are there hundreds of variants of Stration, but they seem to be extremely fast spreading, using not only massmailing techniques but also sending to ICQ contacts. The problem with Stration has really been that there seems to be a lot of effort going into making each new variant undetectable by as many scanners as possible. At around 11AM (Pacific Time) yesterday, ESET released an update to the Advanced Heuristic system, which could effectively detect the new variants. The results can be seen here - with more than 1.3 million heuristic detections, most of which are Stration.
While it's not always possible to detect things perfectly proactively all the time (though we certainly try!), the beauty of the implementation of the ThreatSense heuristic system is that it can be updated just as a regular product has it's signatures updated. So as soon as an analyst has the knowledge about how to detect something based on its behaviour, it can be 'taught' to the system, which is then very effective at doing the job from then on, even if the code changes.
AJ - Chief Research Officer - ESET
