Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Stuxnet.A

W32/Stuxnet.A

Spreading

W32/Stuxnet.A propagates by infecting all the USB drives connected to the infected system. It copies a special crafted shortcut file (.LNK) along with the malware loader (the infector).

Payload Details

On execution, the worm drops 2 malicious rootkitted drivers into System32\drivers\
Mrxnet.sys - detected as “W32/Stuxnet.E”
mrxcls.sys - detected as “W32/Stuxnet.D”
Next, the worm registers the driver files as a service and starts running before the system boots up in the next successive system starts. The presence of this registry entry confirms that the system is compromised.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxCls "ImagePath"
Data: \??\C:\WINDOWS\system32\Drivers\mrxcls.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxNet "ImagePath"
Data: \??\C:\WINDOWS\system32\Drivers\mrxnet.sys
It installs the drivers so that whenever a removable device is inserted, it can automatically copy itself in the inserted device.

W32/Stuxnet.A also drops the following encrypted data files in windowsinf folder:

Mdmcpq3.PNF
Mdmeric3.PNF
Oem6c.PNF
Oem7a.PNF
Infected Removable Drives W32/Stuxnet.A drops the following files in the removable device which in turns infects another system. Here, the propagation starts.
~wtr[xxxx].tmp
~wtr[xxxx].tmp
Copy of shortcut to.lnk – that acts as a shortcut to the above said files.
Copy of Copy of shortcut to.lnk
Copy of Copy of Copy of shortcut to.lnk
Copy of Copy of Copy of Copy of shortcut to.lnk
Additional behavior Some variants of W32/Stuxnet are capable of injecting its malicious code in the running process and doing backdoor activities.
For more Information Exploits for .LNK vulnerability are growing fast (Lumension Security Advisory) Microsoft Security Bulletin MS10-046 - Critical (with links to downloading security updates)

Analysis

n/a

Removal

n/a