Home / malware Worm:Win32/Stuxnet.B
First posted on 20 July 2010.
Source: SecurityHomeAliases :
Worm:Win32/Stuxnet.B is also known as Trojan-Dropper.Win32.Stuxnet.b (Kaspersky), Trojan.DR.Stuxnet.B (VirusBuster), TR/Stuxnet.m (Avira), Win32.Worm.Stuxnet.A (Avira), Win32/Stuxnet.B (CA), Trojan.Stuxnet.1 (Dr.Web), Win32/Stuxnet.B (ESET), Stuxnet (McAfee), Rootkit/Inject.IW (Panda), Troj/Stuxnet-C (Sophos), WORM_STUXNET.A (Trend Micro).
Explanation :
Worm:Win32/Stuxnet.B is the detection for a worm that spreads to all removable drives. It does this by dropping shortcut files (.LNK) that automatically run when the removable drive is accessed using an application that displays shortcut icons (for example, Windows Explorer). It is capable of dropping and installing other components, injecting code into currently-running processes, and allowing backdoor access and control to the infected computer.
Top
Worm:Win32/Stuxnet.B is the detection for a worm that spreads to all removable drives. It does this by dropping shortcut files (.LNK) that automatically run when the removable drive is accessed using an application that displays shortcut icons (for example, Windows Explorer). Installation When run, Worm:Win32/Stuxnet.B creates a randomly-named mutex such as "FJKIKK" or "FJGIJK". The trojan also opens or creates one or more of the following mutexes:@ssd<random hex number> Global\Spooler_Perf_Library_Lock_PID_01F Global\{4A9A9FA4-5292-4607-B3CB-EE6A87A008A3} Global\{5EC171BB-F130-4a19-B782-B6E655E091B2} Global\{85522152-83BF-41f9-B17D-324B4DFC7CC3} Global\{B2FAC8DC-557D-43ec-85D6-066B4FBC05AC} Global\{CAA6BD26-6C7B-4af0-95E2-53DE46FDDF26} Global\{E41362C3-F75C-4ec2-AF49-3CB6BCA591CA} Spreads via... Removable drives Worm:Win32/Stuxnet.B drops the following files in all removable drives:~wtr4132.tmp - TrojanDropper:Win32/Stuxnet.B ~wtr4141.tmp - Worm:Win32/Stuxnet.B It also drops a .LNK file that serves as a shortcut to "~wtr4141.tmp" or "~wtr4132.tmp"; the .LNK file may have any of the following names:"Copy of Shortcut to.lnk" "Copy of Copy of Shortcut to.lnk" "Copy of Copy of Copy of Shortcut to.lnk" "Copy of Copy of Copy of Copy of Shortcut to.lnk" The .LNK files are detected as Exploit:Win32/CplLnk.A. Payload Installs other malware Worm:Win32/Stuxnet.B installs the following Stuxnet components:<system folder>\mrxcls.sys - Trojan:WinNT/Stuxnet.A <system folder>\mrxnet.sys - Trojan:WinNT/Stuxnet.B Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32. The worm also creates the following registry subkeys with the associated values to run the dropped components as services: HKLM\SYSTEM\CurrentControlSet\Services\MRxCls HKLM\SYSTEM\CurrentControlSet\Services\MRxNet It installs the drivers so that when a removable media drive such as a USB drive is inserted, it automatically executes itself. Injects code Worm:Win32/Stuxnet.B may inject code to the following processes:explorer.exe services.exe svchost.exe lsass.exe The injected code contains links to the following sites related to online betting for football:www.mypremierfutbol.com www.todaysfutbol.com Worm:Win32/Stuxnet.B also creates the following encrypted data files:%windir%\inf\mdmcpq3.pnf %windir%\inf\mdmeric3.pnf %windir%\inf\oem6c.pnf %windir%\inf\oem7a.pnf These files are decrypted and loaded by the injected code. Allows backdoor access and control Worm:Win32/Stuxnet.B connects to a remote server to possibly perform certain actions, including the following:Terminate processes Execute SQL queries Connect to certain websites Download and execute arbitrary files Send information
Analysis by Francis Allan Tan SengLast update 20 July 2010