When an application that can view an executable icon views the link files, the files show it the code that executes ~WTR4132.tmp. Stuxnet exploits the zero-day LNK/PIF (shortcut file) automatic execution vulnerability to execute on the target system. It also copies the shortcuts linking to ~WTR4132.tmp named Copy of Shortcut to.lnk, Copy of Copy of Shortcut to.lnk, Copy of Copy of Copy of Shortcut to.lnk and Copy of Copy of Copy of Copy of Shortcut to.lnk. The worm copies itself to the root of any removable drives as the files ~WTR4132.tmp and ~WTR4141.tmp. The worm loads a file as a keyboard layout file which contains exploit code allowing it to execute code with SYSTEM privileges. When it is unable to gain administrator privileges in other ways, it exploits a vulnerability in Win32k.sys to elevate its privileges. It then creates two local machine registry keys that register these files as a service*. When a removable drive infected with Stuxnet is connected to a computer, it copies itself as the files mrxcls.sys and mrxnet.sys in the "drivers" subdirectory of the system folder. It "prints" two files, winsta.exe, a dropper in the system folder and one additional file, sysnullevnt.mof, to the subdirectory wbemmof in the system folder. This allows its code to be executed on that remote system.
It sends a specially crafted print request to a networked printer. Stuxnet exploits a vulnerability in the Windows Print Spooler service to spread over networked machines.
0 kommentar(er)
