Follow:

 

TrojanDropper:Win32/Stuxnet.A


TrojanDropper:Win32/Stuxnet.A is a trojan that drops and installs other Stuxnet components detected as Trojan:WinNT/Stuxnet.A and Trojan:WinNT/Stuxnet.B. It also injects code into certain processes. The injected code contains links to certain football betting websites.


What to do now

Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as Microsoft Security Essentials, or the Microsoft Safety Scanner. For more information about using antivirus software, see http://www.microsoft.com/security/antivirus/av.aspx.

Threat behavior

TrojanDropper:Win32/Stuxnet.A is a trojan that drops and installs other Stuxnet components detected as Trojan:WinNT/Stuxnet.A and Trojan:WinNT/Stuxnet.B.
Installation
When run, this trojan creates a randomly named mutex such as "FJKIKK" or "FJGIJK". The trojan also opens or creates one or more of the following mutexes:
 
@ssd<hex_number>
Global\Spooler_Perf_Library_Lock_PID_01F
Global\{4A9A9FA4-5292-4607-B3CB-EE6A87A008A3}
Global\{5EC171BB-F130-4a19-B782-B6E655E091B2}
Global\{85522152-83BF-41f9-B17D-324B4DFC7CC3}
Global\{B2FAC8DC-557D-43ec-85D6-066B4FBC05AC}
Global\{CAA6BD26-6C7B-4af0-95E2-53DE46FDDF26}
Global\{E41362C3-F75C-4ec2-AF49-3CB6BCA591CA}
Payload
Installs Stuxnet components
The trojan dropper also installs the following Stuxnet components:
 
<system folder>\mrxcls.sys - Trojan:WinNT/Stuxnet.A
<system folder>\mrxnet.sys - Trojan:WinNT/Stuxnet.B
 
The trojan dropper creates the following registry subkeys with associated values to run the dropped components as a service:

HKLM\SYSTEM\CurrentControlSet\Services\MRxCls
HKLM\SYSTEM\CurrentControlSet\Services\MRxNet
 
TrojanDropper:Win32/Stuxnet.A creates the following encrypted data files:
 
C:\Windows\inf\mdmcpq3.pnf
C:\Windows\inf\mdmeric3.pnf
C:\Windows\inf\oem6c.pnf
C:\Windows\inf\oem7a.pnf
 
Injects code
TrojanDropper:Win32/Stuxnet.A may inject code into the following processes:
 
lsass.exe
svchost.exe
services.exe
 
The injected code contains links to the following sites related to online betting for football:

www.mypremierfutbol.com
www.todaysfutbol.com
 
The created .pnf files are decrypted and loaded by the injected code.
 
Analysis by Matt McCormack & Andrei Florin Saygo

Symptoms

System changes
The following system changes may indicate the presence of this malware:
  • The presence of the following files:
  • <system folder>\mrxcls.sys
    <system folder>\mrxnet.sys
  • The presence of the following registry keys:
    HKLM\SYSTEM\CurrentControlSet\Services\MRxCls
    HKLM\SYSTEM\CurrentControlSet\Services\MRxNet

Prevention


Alert level: Severe
First detected by definition: 1.85.1626.0
Latest detected by definition: 1.173.2181.0 and higher
First detected on: Jul 07, 2010
This entry was first published on: Jul 07, 2010
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • VirTool:WinNT/Rootkitdrv.HK (other)
  • Trojan horse SHeur3.XLI (AVG)
  • Sus/UnkPack-C (Sophos)
  • Rootkit.TmpHider (other)