After the “success” of WORM_STRAT.DR yesterday, the inevitable twin brother is bound to show up sooner or later. Clearly, with the detection of WORM_STRAT.DX today, it is more “sooner” rather than “later”.

Similar to the .DR variant, this new STRATION worm arrives on a system as a downloaded file of its manually-spammed Trojan clone (TROJ_STRAT.DX). And with the sudden surge of infection reports (mainly from Japan, Taiwan, and China) and email samples received, it seems that there is another attempt at a “spiked attack”. What is different, from these two variants, however, is the domain where they download additional components. Yesterday it was vedasetionderun.comfor WORM_STRAT.DR. Since this is most probably already blocked by most security companies, WORM_STRAT.DX opted to use another domain: hertionkadesinpoion.com.

From the looks of things, there seems to be a new STRATION strategy in the works. Blame it on the recent cameo appearance of MYTOB, because here’s what I think: after all those comparisons between STRATION and MYTOB (i.e., STRATION is the new MYTOB), the sudden reappearance of the the latter reminded us that MYTOB maybe old, but it’s still packs a punch. Placed beside the “original”, STRATION looked like a pathetic copycat.

Uh-oh. Are we looking at another worm war? Let’s hope not.