W32/Stucco-A is a worm for the Windows platform.
When first run W32/Stucco-A copies itself to <System>\kavo.exe. The following registry entry is created to run kavo.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
kava
<System32>\kavo.exe
The following files are also created:
<System>\kavo0.dll - detected as Troj/Lineag-Gen
<Temp>\bgymgfnz.dll - detected as Mal/EncPk-AH
<System>\wincab.sys - detected as Mal/RootKit-A
The file wincab.sys is registered as a new service with a name of "ytghyuiokjnmvrq". Due to stealthing techniques, wincab.sys may not be visible. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Control\DeviceClasses\{ad498944-762f-11d0-8dcb-00c04fc3358c}
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_YTGHYUIOKJNMVRQ
W32/Stucco-A spreads by copying itself with the hidden filename ntdelect.com to network shares and removable media. The file autorun.inf is also created so that W32/Stucco-A is automatically executed. This file is detected as Mal/AutoInf-A.
The following registry entries are set to further hide W32/Stucco-A:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
CheckedValue
0x00000000
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
0x00000002
ShowSuperHidden
0x00000000
W32/Stucco-A downloads further code from a remote site via HTTP. At the time of writing, this site was unavailable.