For Home

Virus Profile: Stuxnet

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 7/16/2010
Date Added: 7/16/2010
Origin: N/A
Length: Varies
Type: Trojan
Subtype: Worm
DAT Required: 6045
Removal Instructions
   
 
 
   

Description

Stuxnet is a trojan which targets systems running WinCC SCADA software. It spreads utilizing CVE-2010-2568 which allows arbitrary code execution via a crafted .lnk file.   
This has been noted to spread via removable USB drives.

Indication of Infection

Prescence of the afore mentioned Registry Keys and files

Methods of Infection

Initial infection via USB key that have .lnk files exploiting CVE-2010-2568
   

Virus Characteristics

The main installer contains a dll file called ~WTR4132.tmp which is the main dropper component.
This dropper drops filter drivers, installs them, drops files that inject to system processes, contacts remote hosts.

Initial infection occurs via a USB drive which may contain multiple .lnk files which point to a dll file ~WTR4141.tmp (signed with "Realtek Semiconductor Corp" ) which is used to load the main dropper ~WTR4132.tmp from a USB drive

Additionally this loader component hides .tmp and .lnk files by hooking some of the following functions:

  • FindFirstFileW
  • FindNextFileW
  • FindFirstFileExW
  • NtQueryDirectoryFile
  • ZwQueryDirectoryFile

The dropper on execution creates the following files:

  • %System%\drivers\mrxcls.sys
  • %System%\drivers\mrxnet.sys

These drivers are used to hide files and inject code into running processes

Multiple .pnf file are created as.

  • %Windir%\inf\mdmcpq3.PNF
  • %Windir%\inf\mdmeric3.PNF
  • %Windir%\inf\oem6C.PNF
  • %Windir%\inf\oem7A.PNF

These files are later decrypted and injected into running processes (on our system these were injected into lsass,exe, svchost.exe and services.exe)

The following Registry Keys are Created as a registration towards the Services:

  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MRxCls
    • Description: "MRXCLS"
    • DisplayName: "MRXCLS"
    • ErrorControl: 0x00000000
    • Group: "Network"
    • ImagePath: "%system%\Drivers\mrxcls.sys"
    • Start: 0x00000001
    • Type: 0x00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MRxCls\Enum
    • 0: "Root\LEGACY_MRXCLS\0000"
    • Count: 0x00000001
    • NextInstance: 0x00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MRxNet
    • Description: "MRXNET"
    • DisplayName: "MRXNET"
    • ErrorControl: 0x00000000
    • Group: "Network"
    • ImagePath: "%system%\Drivers\mrxnet.sys"
    • Start: 0x00000001
    • Type: 0x00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MRxNet\Enum
    • 0: "Root\LEGACY_MRXNET\0000"
    • Count: 0x00000001
    • NextInstance: 0x00000001

Additional files that may be observed on the system include:

s7otbxsx.dll - This is a malicious wrapper for a legitimate Siemens file. This DLL is used to intercept calls to legit function. The wrapper passed control to its code before transferring control back to the original DLL and invoked function

Network connections to the following may be observed:

  • windowsupdate.com
  • mypremierfutbol.com
  • msn.com
  • todaysfutbol.com
   

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).