Home / malwarePDF  

TrojanDropper:Win32/Stuxnet.A


First posted on 17 July 2010.
Source: SecurityHome

Aliases :

TrojanDropper:Win32/Stuxnet.A is also known as VirTool:WinNT/Rootkitdrv.HK (other), Trojan horse SHeur3.XLI (AVG), Sus/UnkPack-C (Sophos), Rootkit.TmpHider (other).

Explanation :

TrojanDropper:Win32/Stuxnet.A is a trojan that drops and installs other Stuxnet components detected as Trojan:WinNT/Stuxnet.A and Trojan:WinNT/Stuxnet.B. It also injects code into certain processes. The injected code contains links to certain football betting websites.
Top

TrojanDropper:Win32/Stuxnet.A is a trojan that drops and installs other Stuxnet components detected as Trojan:WinNT/Stuxnet.A and Trojan:WinNT/Stuxnet.B. InstallationWhen run, this trojan creates a randomly named mutex such as "FJKIKK" or "FJGIJK". The trojan also opens or creates one or more of the following mutexes: @ssd<hex_number>
Global\Spooler_Perf_Library_Lock_PID_01F
Global\{4A9A9FA4-5292-4607-B3CB-EE6A87A008A3}
Global\{5EC171BB-F130-4a19-B782-B6E655E091B2}
Global\{85522152-83BF-41f9-B17D-324B4DFC7CC3}
Global\{B2FAC8DC-557D-43ec-85D6-066B4FBC05AC}
Global\{CAA6BD26-6C7B-4af0-95E2-53DE46FDDF26}
Global\{E41362C3-F75C-4ec2-AF49-3CB6BCA591CA} Payload Installs Stuxnet componentsThe trojan dropper also installs the following Stuxnet components: <system folder>\mrxcls.sys - Trojan:WinNT/Stuxnet.A <system folder>\mrxnet.sys - Trojan:WinNT/Stuxnet.B The trojan dropper creates the following registry subkeys with associated values to run the dropped components as a service:
HKLM\SYSTEM\CurrentControlSet\Services\MRxCls
HKLM\SYSTEM\CurrentControlSet\Services\MRxNet TrojanDropper:Win32/Stuxnet.A creates the following encrypted data files: C:\Windows\inf\mdmcpq3.pnf C:\Windows\inf\mdmeric3.pnf C:\Windows\inf\oem6c.pnf C:\Windows\inf\oem7a.pnf Injects codeTrojanDropper:Win32/Stuxnet.A may inject code into the following processes: lsass.exe svchost.exe services.exe The injected code contains links to the following sites related to online betting for football:
www.mypremierfutbol.com
www.todaysfutbol.com The created .pnf files are decrypted and loaded by the injected code.

Analysis by Matt McCormack & Andrei Florin Saygo

Last update 17 July 2010

 

TOP