Worm:Win32/Stuxnet.B is the detection for a worm that spreads to all removable drives. It does this by dropping exploit shortcut files (files having .LNK file extension) that automatically run when the removable drive is accessed using an application that displays shortcut icons (for example,
Windows Explorer). The shortcut files are detected as
Exploit:Win32/CplLnk.A.
Installation
When run, Worm:Win32/Stuxnet.B creates a randomly-named mutex such as "FJKIKK" or "FJGIJK". The trojan also opens or creates one or more of the following mutexes:
@ssd<random hex number>
Global\Spooler_Perf_Library_Lock_PID_01F
Global\{4A9A9FA4-5292-4607-B3CB-EE6A87A008A3}
Global\{5EC171BB-F130-4a19-B782-B6E655E091B2}
Global\{85522152-83BF-41f9-B17D-324B4DFC7CC3}
Global\{B2FAC8DC-557D-43ec-85D6-066B4FBC05AC}
Global\{CAA6BD26-6C7B-4af0-95E2-53DE46FDDF26}
Global\{E41362C3-F75C-4ec2-AF49-3CB6BCA591CA}
Spreads via...
Removable drives
Worm:Win32/Stuxnet.B drops the following files in all removable drives:
It also drops a .LNK file that serves as a shortcut to "~wtr4141.tmp" or "~wtr4132.tmp"; the .LNK file may have any of the following names:
"Copy of Shortcut to.lnk"
"Copy of Copy of Shortcut to.lnk"
"Copy of Copy of Copy of Shortcut to.lnk"
"Copy of Copy of Copy of Copy of Shortcut to.lnk"
Payload
Installs other malware
Worm:Win32/Stuxnet.B installs the following Stuxnet components:
Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
The worm also creates the following registry subkeys with the associated values to run the dropped components as services:
HKLM\SYSTEM\CurrentControlSet\Services\MRxCls
HKLM\SYSTEM\CurrentControlSet\Services\MRxNet
It installs the drivers so that when a removable media drive such as a USB drive is inserted, it automatically executes itself.
Injects code
Worm:Win32/Stuxnet.B may inject code to the following processes:
explorer.exe
services.exe
svchost.exe
lsass.exe
The injected code contains links to the following sites related to online betting for football:
www.mypremierfutbol.com
www.todaysfutbol.com
Worm:Win32/Stuxnet.B also creates the following encrypted data files:
These files are decrypted and loaded by the injected code.
Allows backdoor access and control
Worm:Win32/Stuxnet.B connects to a remote server to possibly perform certain actions, including the following:
Analysis by Francis Allan Tan Seng