Follow:

 

Worm:Win32/Stuxnet.A


Worm:Win32/Stuxnet.A is the detection for a worm that spreads to all removable drives. It does this by dropping shortcut files (.LNK) that automatically run when the removable drive is accessed using an application that displays shortcut icons (for example, Windows Explorer).
 
It is capable of dropping and installing other components, injecting code into currently-running processes, and allowing backdoor access and control to the infected computer.


What to do now

This worm uses as an attack vector discussed in Microsoft Security Bulletin MS10-046 . Refer to the advisory for mitigating factors and workarounds to the vulnerability.
 
To detect and remove this threat and other malicious software that may be installed in your computer, run a full-system scan with an up-to-date antivirus product such as the following:
 
For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

Threat behavior

Worm:Win32/Stuxnet.A is the detection for a worm that spreads to all removable drives. It does this by dropping shortcut files (.LNK) that automatically run when the removable drive is accessed using an application that displays shortcut icons (for example, Windows Explorer).
Installation
When run, Worm:Win32/Stuxnet.A creates a randomly-named mutex such as "FJKIKK" or "FJGIJK". The trojan also opens or creates one or more of the following mutexes:
 
  • @ssd<random hex number>
  • Global\Spooler_Perf_Library_Lock_PID_01F
  • Global\{4A9A9FA4-5292-4607-B3CB-EE6A87A008A3}
  • Global\{5EC171BB-F130-4a19-B782-B6E655E091B2}
  • Global\{85522152-83BF-41f9-B17D-324B4DFC7CC3}
  • Global\{B2FAC8DC-557D-43ec-85D6-066B4FBC05AC}
  • Global\{CAA6BD26-6C7B-4af0-95E2-53DE46FDDF26}
  • Global\{E41362C3-F75C-4ec2-AF49-3CB6BCA591CA}
Spreads via...
Removable drives
Worm:Win32/Stuxnet.A drops the following files in all removable drives:
 
 
It also drops a .LNK file that serves as a shortcut to "~wtr4141.tmp" or "~wtr4132.tmp"; the .LNK file may have any of the following names:
 
  • "Copy of Shortcut to.lnk"
  • "Copy of Copy of Shortcut to.lnk"
  • "Copy of Copy of Copy of Shortcut to.lnk"
  • "Copy of Copy of Copy of Copy of Shortcut to.lnk"
 
The .LNK files are detected as Exploit:Win32/CplLnk.A.
Payload
Installs other malware
Worm:Win32/Stuxnet.A installs the following Stuxnet components:
 
 
Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
 
The worm also creates the following registry subkeys with the associated values to run the dropped components as services:
 
HKLM\SYSTEM\CurrentControlSet\Services\MRxCls
HKLM\SYSTEM\CurrentControlSet\Services\MRxNet
 
It installs the drivers so that when a removable media drive such as a USB drive is inserted, it automatically executes itself.
 
Injects code
Worm:Win32/Stuxnet.A may inject code to the following processes:
 
  • explorer.exe
  • services.exe
  • svchost.exe
  • lsass.exe
 
The injected code contains links to the following sites related to online betting for football:
 
  • www.mypremierfutbol.com
  • www.todaysfutbol.com
 
Worm:Win32/Stuxnet.A also creates the following encrypted data files:
 
  • %windir%\inf\mdmcpq3.pnf
  • %windir%\inf\mdmeric3.pnf
  • %windir%\inf\oem6c.pnf
  • %windir%\inf\oem7a.pnf
 
These files are decrypted and loaded by the injected code.
 
Allows backdoor access and control
Worm:Win32/Stuxnet.A connects to a remote server to possibly perform certain actions, including the following:
 
  • Terminate processes
  • Execute SQL queries
  • Connect to certain websites
  • Download and execute arbitrary files
  • Send information
 
Analysis by Francis Allan Tan Seng

Symptoms

System changes
The following system changes may indicate the presence of this malware:
  • The presence of the following files:
    <system folder>\mrxcls.sys
  • <system folder>\mrxnet.sys
  • The presence of the following registry subkeys:
    HKLM\SYSTEM\CurrentControlSet\Services\MRxCls
  • HKLM\SYSTEM\CurrentControlSet\Services\MRxNet

Prevention


Alert level: Severe
First detected by definition: 1.87.55.0
Latest detected by definition: 1.173.2181.0 and higher
First detected on: Jul 16, 2010
This entry was first published on: Jul 19, 2010
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • RKIT/Stuxnet.A (Avira)
  • Win32/Stuxnet.A (CA)
  • Trojan.Stuxnet.1 (Dr.Web)
  • Stuxnet (McAfee)
  • RTKT_STUXNET.A (Trend Micro)
  • Trojan:Win32/Stuxnet.A (other)