Myrtus and Guava, Episode 1

A few days ago, colleagues from the Belarussian antivirus company VirusBlokAda (VBA) announced they’d come across an interesting new malicious program. They published a short analysis of the program which highlighted two innovations:

1. Using lnk files to launch files from USB storage devices, a method which hasn’t been used before.

2.The malicious driver has a valid digital signature from Realtek.

The VBA article is well worth taking a look at – great research, guys!

Over here at Kaspersky, we’ve also taken a look at the malware, and we’ve also come up with a few interesting things.

First of all, the way the Trojan (which we’ve called Trojan-Dropper.Win32.Stuxnet) spreads. It infects USB storage media by creating 4 lnk files:

Copy of Copy of Copy of Copy of Shortcut to.lnk”
– launches .STORAGE#RemovableMedia#7&[ID]&0&RM#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}~WTR4141.tmp

“Copy of Copy of Copy of Shortcut to.lnk”
– launches
.STORAGE#RemovableMedia#8&[ID]&0&RM#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}~WTR4141.tmp

“Copy of Copy of Shortcut to.lnk”
– launches
.STORAGE#Volume#1&19f7e59c&0&_??_USBSTOR#Disk&Ven_&Prod_USB_FLASH_DRIVE&Rev_PMAP#0798018356734E4F&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}~WTR4141.tmp

“Copy of Shortcut to.lnk”
– launches
.STORAGE#Volume#_??_USBSTOR#Disk&Ven_&Prod_USB_FLASH_DRIVE&Rev_PMAP#0798018356734E4F&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}~WTR4141.tmp

~WTR4141.tmp, by the way, is the main malware file.

Strings from the Trojan code responsible for infecting USB storage media

What’s interesting is that the ID in the first two files is the unique number given to the USB device by the computer on which it’s being accessed.

Up until now, it’s been autorun.inf that’s been responsible for automatically running files from disk. This Windows “feature” has come in for heavy criticism from security experts, and, not surprisingly, has been widely used to spread malware. We classify such malware as Worm.Win32.Autorun – a classification which covers tens of thousands of threats.

But while we’ve got used, more or less, to autorun.inf malware, and learnt what to do about it, the use of lnk files is something really new. We’ll set aside the name “Linkrun”– just in case 🙂

At the moment, we’ve not drawn any final conclusion – maybe this is a real, as yet unknown vulnerability in Windows, or maybe it’s simply the latest “feature” from Redmond. Of course, Microsoft’s been informed of the problem, so we should find out what’s going on in the next couple of days.

So we’ve reached the end of episode one. Upcoming episodes feature more about the malware, and you’ll find out the reason for the post’s title. To give you a hint – it’s not because we’ve taken up gardening in our spare time 🙂

To be continued…