Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Stuxnet.A

Aliases:Trojan-Dropper.Win32.Stuxnet.a (Kaspersky), Worm:Win32/Stuxnet.B (Microsoft), W32.Stuxnet (Symantec) 
Type of infiltration:Worm  
Size:25720 B, 513536 B  
Affected platforms:Microsoft Windows 
Signature database version:5282 (20100715) 

Short description

Win32/Stuxnet.A is a worm that spreads via removable media. The worm spreads itself by exploiting a vulnerability in the operating system of the targeted machine. It exploits the CVE-2010-2568 vulnerability. It uses techniques common for rootkits.

Installation

When executed, the worm creates the following files:
  • %windir%infoem7A.PNF
  • %windir%infoem6c.pnf
  • %windir%infmdmcpq3.pnf
  • %windir%infmdmeric3.pnf
  • %system%driversmrxcls.sys
  • %system%driversmrxnet.sys
Installs the following system drivers:
  • %system%driversmrxcls.sys
  • %system%driversmrxnet.sys
The worm registers itself as a system service using the following names:
  • MRXNET
  • MRXCLS
In order to be executed on every system start, the worm sets the following Registry entries:
  • [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices
    MRxCls]
    "Description"= "MRXCLS"
    "DisplayName"= "MRXCLS"
    "ErrorControl"= 0
    "Group"= "Network"
    "ImagePath"="%system%driversmrxcls.sys"
    "Start"= 1
    "Type"= 1
  • [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices
    MRxCls]
    "Description"= "MRXCLS"
    "DisplayName"= "MRXCLS"
    "ErrorControl"= 0
    "Group"= "Network"
    "ImagePath"="%system%driversmrxcls.sys"
    "Start"= 1
    "Type"= 1
  • [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices
    MRxNet]
    "Description"= "MRXNET"
    "DisplayName"= "MRXNET"
    "ErrorControl"= 0
    "Group"= "Network"
    "ImagePath"= "%system%driversmrxnet.sys"
    "Start"= 1
    "Type"= 1

Spreading on removable media

The worm copies itself into the root folders of removable drives using the following filename:
  • ~wtr4132.tmp (513536 B)
  • ~wtr4141.tmp (25720 B)
The following files are dropped in the same folder:
  • Copy of Shortcut to.lnk
  • Copy of Copy of Shortcut to.lnk
  • Copy of Copy of Copy of Shortcut to.lnk
  • Copy of Copy of Copy of Copy of Shortcut to.lnk
The worm spreads itself by exploiting a vulnerability in the operating system of the targeted machine. This vulnerability is described in CVE-2010-2568 .

Thus, the worm ensures it is started each time infected media is inserted into the computer.

Other information

The worm may create the following files:
  • %temp%~DF%variable%.tmp
The %variable% represents a random number.

The worm alters the behavior of the following processes:
  • Windows Defender real-time protection
The worm may create and run a new thread with its own program code within the following processes:
  • CCprojectMgr.exe
  • explorer.exe
  • iexplore.exe
  • lsass.exe
  • s7tgtopx.exe
  • services.exe
  • CCprojectMgr.exe
  • explorer.exe
  • iexplore.exe
  • lsass.exe
  • s7tgtopx.exe
  • services.exe
  • svchost.exe
  • winlogon.exe
The worm checks for Internet connectivity by trying to connect to the following servers:
  • www.msn.com
  • www.windowsupdate.com
The worm acquires data and commands from a remote computer or the Internet.

The worm connects to the following addresses:
  • www.mypremierfutbol.com
  • www.todaysfutbol.com
The following information is collected:
  • operating system version
  • computer name
  • computer IP address
It can execute the following operations:
  • download files from a remote computer and/or the Internet
  • run executable files
  • send gathered information