Some info on this new malware spreading in these days under the name of TmpHider/Stuxnet

Let’s start with the propagation method which is the only novel aspect about this malware. As already discussed and reported on multiple forums online, this particular piece of malware exploits some unidentified bug in the lnk file format to autostart itself when a usb key is opened.

Once infected you’ll find in the usb pen two lnk files and a two tmp files, opening one of the lnk files we can see inside the UNC path to the tmp file, which is actually a DLL.

I didn’t have analyzed completely these two dlls but I guess they contain the infection logic and are responsible for dropping and installing the two sys files.

So what i did was attaching to explorer.exe and setting a breakpoint on LoadLibrary, and that’s what i got:

As you can see it’s trying to load the the tmp file from the system32 directory, something is not going how expected right ? my guess is that’s because the UNC path inside the lnk file is specific to the usb pen, so if you copy the link and tmp files on a different usb pen they wont work.

Let’s start from the lnk file since it’s clear that it is triggering the loading of the dll in some way, and since there is no sign of shellcode must some kind of logic bug or “feature”. My starting point was microsoft lnk format reference to see how that path is interpreted.
The path is expressed as a PIDL, and is composed by three components (two of which represented through their CLSID)

{20D04FE0-3AEA-1069-A2D8-08002B30309D} {21EC2020-3AEA-1069-A2DD-08002B30309D} \\.\STORAGE#Volume#_??_....\file.tmp

which corresponds to

{My computer} {Control Panel} \\.\STORAGE#Volume#_??_....\file.tmp

I didn’t catch any other relevant differences between a normal lnk and this one except how the path is expressed, anyway that’s all for now, more details coming in the weekend on how that path leads to execution.

edit: typo it’s Control Panel not Computer Panel, of course
edit: local LNK format spec here