Threat Encyclopedia

LNK_STUXNET

Publish date: October 09, 2012

PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

OVERALL RISK RATING:
DAMAGE POTENTIAL:
DISTRIBUTION POTENTIAL:
REPORTED INFECTION:

  • Threat Type:Trojan

  • Destructiveness:No

  • Encrypted:

  • In the wild: Yes

OVERVIEW

Infection Channel:

Propagates via removable drives, Propagates via software vulnerabilities


STUXNET malware were spotted in 2010, spreading via removable drives and via exploitation of two Microsoft-related vulnerabilities. More notably, it exploits the .LNK shortcut vulnerability, which prompted Microsoft to issue an out-of-band patch days after its first variant came out.

In later investigations, STUXNET was revealed to be targeting computers controlling critical infrastructures known as SCADA systems. Its malware codes reveal that it targets specific computers with specific hardware configurations. As of 2012, no definite conclusions are laid out as to why it targets highly specific computers.

TECHNICAL DETAILS

Memory Resident:

Yes

Payload:

Compromises system security, Connects to URLs/IPs, Steals information

Installation

This Trojan drops the following files:

  • %User Temp%\malware.exe

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.)

It drops the following component file(s):

  • %System%\drivers\mrxcls.sys
  • %System%\drivers\mrxnet.sys
  • {drive letter}:\ Copy of Shortcut to.lnk
  • %System%\wbem\mof\sysnullevnt.mof
  • C:\WINDOWS\Help\winmic.fts

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

It drops the following non-malicious files:

  • %Windows%\inf\mdmcpq3.PNF
  • %Windows%\inf\mdmeric3.PNF
  • %Windows%\inf\oem6C.PNF
  • %Windows%\inf\oem7A.PNF

(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)

It drops the following copies of itself into the affected system:

  • {drive letter}:\~WTR4132.tmp
  • {drive letter}:\~WTR4141.tmp

Other Details

This Trojan connects to the following URL(s) to check for an Internet connection:

  • www.windowsupdate.com
  • www.msn.com

It connects to the following possibly malicious URL:

  • www.{BLOCKED}rfutbol.com
  • www.{BLOCKED}futbol.com

Featured Stories

Connect with us on