Follow:

 

Worm:Win32/Stekct.A


Worm:Win32/Stekct.A is a worm that spreads by sending a message via social media and popular Internet chat programs that contains a hyperlink to the worm.



What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

Threat behavior

Worm:Win32/Stekct.A is a worm that spreads by sending a message via social media and popular Internet chat programs that contains a hyperlink to the worm.

Installation

As part of its installation process, the worm copies itself as "mdm.exe" to one of the following folders: 

  • %windir%
  • %ProgramFiles%
  • %PUBLIC% (i.e. C:\Users\Public)

Worm:Win32/Stekct.A makes the following changes to the registry to ensure its copy executes at each Windows start:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Sets value: "Microsoft Firevall Engine"
With data: "<copied file>"

In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Sets value: "Microsoft Firevall Engine"
With data: "%windir%\mdm.exe"

In subkey HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run\
Sets value: "Microsoft Firevall Engine"
With data: "%windir%\mdm.exe"

Spreads via...

Social media and Internet chat programs

Worm:Win32/Stekct.A spreads by sending a message containing a link to a malicious file, similar to the following:

"HAHA LOL could this be you? hxxp://goo.gl/LFDt0?Facebook.com-IMG<six random numbers>.JPG"

In the wild, we have observed this link pointing to a file detected as VirTool:Win32/CeeInject.CV.

The worm sends this message to the affected user's contacts from the following instant messenger software and social networks:

  • AIM
  • Facebook
  • GIMP
  • Google Talk
  • ICQ
  • Skype
  • Windows Live Messenger
  • Yahoo Messenger
Payload

Contacts remote hosts

In the wild, we have observed the worm contacting a remote host at 173.192.41.220 for the following purposes:

  • Download and execute arbitrary files
  • Send retrieved message over following the following instant messenger software and social networks:
    • AIM
    • Facebook
    • GIMP
    • Google Talk
    • ICQ
    • Skype
    • Windows Live Messenger
    • Yahoo Messenger

The worm may contact other remote host addresses in an attempt to make a successful connection.

Modifies system settings

Worm:Win32/Stekct.A adds itself to the list of trusted processes that are authorized to access the network by making the following registry modification:

In subkey HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Sets value "<copied file>"
With data: "<copied file>:*:enabled:microsoft firevall engine"

Terminates processes

Worm:Win32/Stekct.A terminates the following processes, and deletes associated files: 

  • egui.exe
  • ekrn.exe
  • msseces.exe
  • svhost.exe
  • YahooAUService.exe

Analysis by Shawn Wang


Symptoms

System changes

The following system changes may indicate the presence of this malware:

  • The presence of the following file:

    mdm.exe

  • The presence of the following registry modifications:

    In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
    Sets value: "Microsoft Firevall Engine"
    With data: "<copied file>"

    In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
    Sets value: "Microsoft Firevall Engine"
    With data: "%windir%\mdm.exe"

    In subkey HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run\
    Sets value: "Microsoft Firevall Engine"
    With data: "%windir%\mdm.exe"

    In subkey HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
    Sets value "<copied file>"
    With data: "<copied file>:*:enabled:microsoft firevall engine"


Prevention


Alert level: Severe
First detected by definition: 1.119.1988.0
Latest detected by definition: 1.203.984.0 and higher
First detected on: Feb 15, 2012
This entry was first published on: Feb 15, 2012
This entry was updated on: Feb 15, 2012

This threat is also detected as:
  • Trojan horse Dropper.Generic5.AGAU (AVG)
  • Win32.HLLW.Autoruner1.11800 (Dr.Web)
  • Win32/Gyimface.A worm (ESET)
  • Trojan.Win32.Pakes (Ikarus)
  • Trojan-Dropper.Win32.Daws.miu (Kaspersky)
  • Trojan:Win32/Comisproc (other)
  • Worm:Win32/Pushbot.gen!C (other)
  • Mal/ZboCheMan-A (Sophos)
  • Skype worm (other)