Worm:Win32/Stuxnet.A
(?)
Encyclopedia entry
Updated: Aug 03, 2010 | Published: Jul 19, 2010
Aliases
- RKIT/Stuxnet.A (Avira)
- Win32/Stuxnet.A (CA)
- Trojan.Stuxnet.1 (Dr.Web)
- Stuxnet (McAfee)
- RTKT_STUXNET.A (Trend Micro)
- Trojan:Win32/Stuxnet.A (other)
Alert Level (?)
Severe
Antimalware protection details
Microsoft recommends that you download the
latest definitions to get protected. Detection initially created:
Definition: 1.87.55.0
Released: Jul 16, 2010
On this page
Summary|
Symptoms|
Technical Information|
Prevention|
Recovery
Summary
Worm:Win32/Stuxnet.A is the detection for a worm that spreads to all removable drives. It does this by dropping shortcut files (.LNK) that automatically run when the removable drive is accessed using an application that displays shortcut icons (for example,
Windows Explorer).
It is capable of dropping and installing other components, injecting code into currently-running processes, and allowing backdoor access and control to the infected computer.
Top
Symptoms
System changes
The following system changes may indicate the presence of this malware:
- The presence of the following files:
<system folder>\mrxcls.sys
<system folder>\mrxnet.sys - The presence of the following registry subkeys:
HKLM\SYSTEM\CurrentControlSet\Services\MRxCls
HKLM\SYSTEM\CurrentControlSet\Services\MRxNet
Top
Technical Information (Analysis)
Worm:Win32/Stuxnet.A is the detection for a worm that spreads to all removable drives. It does this by dropping shortcut files (.LNK) that automatically run when the removable drive is accessed using an application that displays shortcut icons (for example,
Windows Explorer).
Installation
When run, Worm:Win32/Stuxnet.A creates a randomly-named mutex such as "FJKIKK" or "FJGIJK". The trojan also opens or creates one or more of the following mutexes:
- @ssd<random hex number>
- Global\Spooler_Perf_Library_Lock_PID_01F
- Global\{4A9A9FA4-5292-4607-B3CB-EE6A87A008A3}
- Global\{5EC171BB-F130-4a19-B782-B6E655E091B2}
- Global\{85522152-83BF-41f9-B17D-324B4DFC7CC3}
- Global\{B2FAC8DC-557D-43ec-85D6-066B4FBC05AC}
- Global\{CAA6BD26-6C7B-4af0-95E2-53DE46FDDF26}
- Global\{E41362C3-F75C-4ec2-AF49-3CB6BCA591CA}
Spreads via...
Removable drives
Worm:Win32/Stuxnet.A drops the following files in all removable drives:
It also drops a .LNK file that serves as a shortcut to "~wtr4141.tmp" or "~wtr4132.tmp"; the .LNK file may have any of the following names:
- "Copy of Shortcut to.lnk"
- "Copy of Copy of Shortcut to.lnk"
- "Copy of Copy of Copy of Shortcut to.lnk"
- "Copy of Copy of Copy of Copy of Shortcut to.lnk"
The .LNK files are detected as Exploit:Win32/CplLnk.A.
Payload
Installs other malware
Worm:Win32/Stuxnet.A installs the following Stuxnet components:
Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
The worm also creates the following registry subkeys with the associated values to run the dropped components as services:
HKLM\SYSTEM\CurrentControlSet\Services\MRxCls
HKLM\SYSTEM\CurrentControlSet\Services\MRxNet
It installs the drivers so that when a removable media drive such as a USB drive is inserted, it automatically executes itself.
Injects code
Worm:Win32/Stuxnet.A may inject code to the following processes:
- explorer.exe
- services.exe
- svchost.exe
- lsass.exe
The injected code contains links to the following sites related to online betting for football:
Worm:Win32/Stuxnet.A also creates the following encrypted data files:
- %windir%\inf\mdmcpq3.pnf
- %windir%\inf\mdmeric3.pnf
- %windir%\inf\oem6c.pnf
- %windir%\inf\oem7a.pnf
These files are decrypted and loaded by the injected code.
Allows backdoor access and control
Worm:Win32/Stuxnet.A connects to a remote server to possibly perform certain actions, including the following:
- Terminate processes
- Execute SQL queries
- Connect to certain websites
- Download and execute arbitrary files
- Send information
Analysis by Francis Allan Tan Seng
Top
Prevention
This worm uses as an attack vector discussed in Microsoft Security Bulletin MS10-046 . Refer to the advisory for mitigating factors and workarounds to the vulnerability.
Take the following steps to help prevent infection on your computer:
- Enable a firewall on your computer.
- Get the latest computer updates for all your installed software.
- Use up-to-date antivirus software.
- Limit user privileges on the computer.
- Use caution when opening attachments and accepting file transfers.
- Use caution when clicking on links to web pages.
- Avoid downloading pirated software.
- Protect yourself against social engineering attacks.
- Use strong passwords.
Enable a firewall on your computer
Use a third-party firewall product or turn on the Microsoft Windows Internet Connection Firewall
.
Get the latest computer updates available from vendor websites.