McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
Business Home McAfee Labs Threat Intelligence

Stuxnet

This page shows details and results of our analysis on the malware Stuxnet

Threat Detail

Malware Type: Trojan

Malware Sub-type: Worm

Discovery Date: 2010-07-16

Next Steps:

Overview

Stuxnet is a trojan which targets systems running WinCC SCADA software. It spreads utilizing CVE-2010-2568 which allows arbitrary code execution via a crafted .lnk file.   
This has been noted to spread via removable USB drives.


Minimum DAT

6045 (2010-07-16)

Updated DAT

6180 (2010-11-27)

 Minimum Engine

5.4.00

File Length

Varies

 Description Added

2010-07-16

Description Modified

2010-07-22

Malware Proliferation

Characteristics

The main installer contains a dll file called ~WTR4132.tmp which is the main dropper component.
This dropper drops filter drivers, installs them, drops files that inject to system processes, contacts remote hosts.

Initial infection occurs via a USB drive which may contain multiple .lnk files which point to a dll file ~WTR4141.tmp (signed with "Realtek Semiconductor Corp" ) which is used to load the main dropper ~WTR4132.tmp from a USB drive

Additionally this loader component hides .tmp and .lnk files by hooking some of the following functions:

  • FindFirstFileW
  • FindNextFileW
  • FindFirstFileExW
  • NtQueryDirectoryFile
  • ZwQueryDirectoryFile

The dropper on execution creates the following files:

  • %System%\drivers\mrxcls.sys
  • %System%\drivers\mrxnet.sys

These drivers are used to hide files and inject code into running processes

Multiple .pnf file are created as.

  • %Windir%\inf\mdmcpq3.PNF
  • %Windir%\inf\mdmeric3.PNF
  • %Windir%\inf\oem6C.PNF
  • %Windir%\inf\oem7A.PNF

These files are later decrypted and injected into running processes (on our system these were injected into lsass,exe, svchost.exe and services.exe)

The following Registry Keys are Created as a registration towards the Services:

  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MRxCls
    • Description: "MRXCLS"
    • DisplayName: "MRXCLS"
    • ErrorControl: 0x00000000
    • Group: "Network"
    • ImagePath: "%system%\Drivers\mrxcls.sys"
    • Start: 0x00000001
    • Type: 0x00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MRxCls\Enum
    • 0: "Root\LEGACY_MRXCLS\0000"
    • Count: 0x00000001
    • NextInstance: 0x00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MRxNet
    • Description: "MRXNET"
    • DisplayName: "MRXNET"
    • ErrorControl: 0x00000000
    • Group: "Network"
    • ImagePath: "%system%\Drivers\mrxnet.sys"
    • Start: 0x00000001
    • Type: 0x00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MRxNet\Enum
    • 0: "Root\LEGACY_MRXNET\0000"
    • Count: 0x00000001
    • NextInstance: 0x00000001

Additional files that may be observed on the system include:

s7otbxsx.dll - This is a malicious wrapper for a legitimate Siemens file. This DLL is used to intercept calls to legit function. The wrapper passed control to its code before transferring control back to the original DLL and invoked function

Network connections to the following may be observed:

  • windowsupdate.com
  • mypremierfutbol.com
  • msn.com
  • todaysfutbol.com

Symptoms

Prescence of the afore mentioned Registry Keys and files

Method of Infection

Initial infection via USB key that have .lnk files exploiting CVE-2010-2568

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Variants

United States - English