Home / malwarePDF  

Worm:Win32/Stekct.A


First posted on 16 February 2012.
Source: Microsoft

Aliases :

Worm:Win32/Stekct.A is also known as Trojan horse Dropper.Generic5.AGAU (AVG), Win32.HLLW.Autoruner1.11800 (Dr.Web), Win32/Gyimface.A worm (ESET), Trojan.Win32.Pakes (Ikarus), Trojan-Dropper.Win32.Daws.miu (Kaspersky), Trojan:Win32/Comisproc (other), Worm:Win32/Pushbot.gen!C (other), Mal/ZboCheMan-A (Sophos), Skype worm (other).

Explanation :

Worm:Win32/Stekct.A is a worm that spreads by sending a message via social media and popular Internet chat programs that contains a hyperlink to the worm.


Top

Worm:Win32/Stekct.A is a worm that spreads by sending a message via social media and popular Internet chat programs that contains a hyperlink to the worm.



Installation

As part of its installation process, the worm copies itself as "mdm.exe" to one of the following folders:

  • %windir%
  • %ProgramFiles%
  • %PUBLIC% (i.e. C:\Users\Public)


Worm:Win32/Stekct.A makes the following changes to the registry to ensure its copy executes at each Windows start:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Sets value: "Microsoft Firevall Engine"
With data: "<copied file>"

In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Sets value: "Microsoft Firevall Engine"
With data: "%windir%\mdm.exe"

In subkey HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run\
Sets value: "Microsoft Firevall Engine"
With data: "%windir%\mdm.exe"

Spreads via...

Social media and Internet chat programs

Worm:Win32/Stekct.A spreads by sending a message containing a link to a malicious file, similar to the following:

"HAHA LOL could this be you? hxxp://goo.gl/LFDt0?Facebook.com-IMG<six random numbers>.JPG"

In the wild, we have observed this link pointing to a file detected as VirTool:Win32/CeeInject.CV.

The worm sends this message to the affected user's contacts from the following instant messenger software and social networks:

  • AIM
  • Facebook
  • GIMP
  • Google Talk
  • ICQ
  • Skype
  • Windows Live Messenger
  • Yahoo Messenger


Payload

Contacts remote hosts

In the wild, we have observed the worm contacting a remote host at 173.192.41.220 for the following purposes:

  • Download and execute arbitrary files
  • Send retrieved message over following the following instant messenger software and social networks:
    • AIM
    • Facebook
    • GIMP
    • Google Talk
    • ICQ
    • Skype
    • Windows Live Messenger
    • Yahoo Messenger


The worm may contact other remote host addresses in an attempt to make a successful connection.

Modifies system settings

Worm:Win32/Stekct.A adds itself to the list of trusted processes that are authorized to access the network by making the following registry modification:

In subkey HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Sets value "<copied file>"
With data: "<copied file>:*:enabled:microsoft firevall engine"

Terminates processes

Worm:Win32/Stekct.A terminates the following processes, and deletes associated files:

  • egui.exe
  • ekrn.exe
  • msseces.exe
  • svhost.exe
  • YahooAUService.exe




Analysis by Shawn Wang

Last update 16 February 2012

 

TOP

Malware :

Family: