W32/Stuxnet.A

Threat risk

Threat risk medium


Laatste gepubliceerde virusdetectiebestand:	Description created: 2010-07-09	Description updated: 2010-08-03

Malware soorten: Worm	Alias: TrojanDropper:Win32/Stuxnet.A (Microsoft), Trojan-Dropper.Win32.Stuxnet.d (Kaspersky), Stuxnet (McAfee), W32.Stuxnet (Symantec)	Spreading mechanism Other

Payload: Dropped components have rootkit characteristics.

Summary
Spreading description
Threat description
Removal

Summary

W32/Stuxnet.A belongs to a worm family that spreads through removable drives. It does this malicious activity by taking advantage of the recently discovered vulnerability in Microsoft Windows Shell (Dropping shortcut files (.LNK) that automatically run when the removable drive is accessed).

Microsoft has released a security update 2 August 2010 that fixes the vulnerability.

Spreading description

W32/Stuxnet.A propagates by infecting all the USB drives connected to the infected system. It copies a special crafted shortcut file (.LNK) along with the malware loader (the infector).

Threat description

On execution, the worm drops 2 malicious rootkitted drivers into System32\drivers\

Mrxnet.sys - detected as “W32/Stuxnet.E”
mrxcls.sys - detected as “W32/Stuxnet.D”

Next, the worm registers the driver files as a service and starts running before the system boots up in the next successive system starts. The presence of this registry entry confirms that the system is compromised.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxCls "ImagePath"
Data: \??\C:\WINDOWS\system32\Drivers\mrxcls.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxNet "ImagePath"
Data: \??\C:\WINDOWS\system32\Drivers\mrxnet.sys

It installs the drivers so that whenever a removable device is inserted, it can automatically copy itself in the inserted device.

W32/Stuxnet.A also drops the following encrypted data files in windows\inf folder:

Mdmcpq3.PNF
Mdmeric3.PNF
Oem6c.PNF
Oem7a.PNF

Infected Removable Drives

W32/Stuxnet.A drops the following files in the removable device which in turns infects another system. Here, the propagation starts.

~wtr[xxxx].tmp
~wtr[xxxx].tmp

Copy of shortcut to.lnk – that acts as a shortcut to the above said files.

Copy of Copy of shortcut to.lnk
Copy of Copy of Copy of shortcut to.lnk
Copy of Copy of Copy of Copy of shortcut to.lnk

Additional behavior

Some variants of W32/Stuxnet are capable of injecting its malicious code in the running process and doing backdoor activities.

For more Information

Exploits for .LNK vulnerability are growing fast (Norman Security Advisory)
Microsoft Security Bulletin MS10-046 - Critical (with links to downloading security updates)

Removal

General information about removal of malicious software

Norman's antivirus products are in general able to remove all malicious software that is detected.
Some malware, however, uses techniques that the general product does not remove sufficiantly. We have therefore developed the free product Norman Malware Cleaner. Please use the latest version of this program from the link below - if your Norman antivirus is unable to clean-up the infection.

Medium	Titel	Opmerking
	Stopping network share infectors
	Het opschonen van back-up mappen onder Windows Me en XP

Print pagina