Worm:Win32/Stekct.A is a worm that spreads by sending a message via social media and popular Internet chat programs that contains a hyperlink to the worm.
Installation
As part of its installation process, the worm copies itself as "mdm.exe" to one of the following folders:
-
%windir%
-
%ProgramFiles%
-
%PUBLIC% (i.e. C:\Users\Public)
Worm:Win32/Stekct.A makes the following changes to the registry to ensure its copy executes at each Windows start:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Sets value: "Microsoft Firevall Engine"
With data: "<copied file>"
In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Sets value: "Microsoft Firevall Engine"
With data: "%windir%\mdm.exe"
In subkey HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run\
Sets value: "Microsoft Firevall Engine"
With data: "%windir%\mdm.exe"
Spreads via...
Social media and Internet chat programs
Worm:Win32/Stekct.A spreads by sending a message containing a link to a malicious file, similar to the following:
"HAHA LOL could this be you? hxxp://goo.gl/LFDt0?Facebook.com-IMG<six random numbers>.JPG"
In the wild, we have observed this link pointing to a file detected as VirTool:Win32/CeeInject.CV.
The worm sends this message to the affected user's contacts from the following instant messenger software and social networks:
-
AIM
-
Facebook
-
GIMP
-
Google Talk
-
ICQ
-
Skype
-
Windows Live Messenger
-
Yahoo Messenger
Payload
Contacts remote hosts
In the wild, we have observed the worm contacting a remote host at 173.192.41.220 for the following purposes:
- Download and execute arbitrary files
- Send retrieved message over following the following instant messenger software and social networks:
-
AIM
-
Facebook
-
GIMP
-
Google Talk
-
ICQ
-
Skype
-
Windows Live Messenger
-
Yahoo Messenger
The worm may contact other remote host addresses in an attempt to make a successful connection.
Modifies system settings
Worm:Win32/Stekct.A adds itself to the list of trusted processes that are authorized to access the network by making the following registry modification:
In subkey HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Sets value "<copied file>"
With data: "<copied file>:*:enabled:microsoft firevall engine"
Terminates processes
Worm:Win32/Stekct.A terminates the following processes, and deletes associated files:
-
egui.exe
-
ekrn.exe
-
msseces.exe
-
svhost.exe
-
YahooAUService.exe
Analysis by Shawn Wang