Threat Detail

  • Malware Type: Trojan
  • Malware Sub-type: Worm
  • Protection Added: 2010-07-16
Stuxnet is a trojan which targets systems running WinCC SCADA software. It spreads utilizing CVE-2010-2568 which allows arbitrary code execution via a crafted .lnk file.   
This has been noted to spread via removable USB drives.
Minimum Engine


File Length


Description Added


Description Modified


Malware Proliferation

fpo-ti-severity-legend logo-new-mcafee

The main installer contains a dll file called ~WTR4132.tmp which is the main dropper component.
This dropper drops filter drivers, installs them, drops files that inject to system processes, contacts remote hosts.

Initial infection occurs via a USB drive which may contain multiple .lnk files which point to a dll file ~WTR4141.tmp (signed with "Realtek Semiconductor Corp" ) which is used to load the main dropper ~WTR4132.tmp from a USB drive

Additionally this loader component hides .tmp and .lnk files by hooking some of the following functions:

  • FindFirstFileW
  • FindNextFileW
  • FindFirstFileExW
  • NtQueryDirectoryFile
  • ZwQueryDirectoryFile

The dropper on execution creates the following files:

  • %System%\drivers\mrxcls.sys
  • %System%\drivers\mrxnet.sys

These drivers are used to hide files and inject code into running processes

Multiple .pnf file are created as.

  • %Windir%\inf\mdmcpq3.PNF
  • %Windir%\inf\mdmeric3.PNF
  • %Windir%\inf\oem6C.PNF
  • %Windir%\inf\oem7A.PNF

These files are later decrypted and injected into running processes (on our system these were injected into lsass,exe, svchost.exe and services.exe)

The following Registry Keys are Created as a registration towards the Services:

  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MRxCls
    • Description: "MRXCLS"
    • DisplayName: "MRXCLS"
    • ErrorControl: 0x00000000
    • Group: "Network"
    • ImagePath: "%system%\Drivers\mrxcls.sys"
    • Start: 0x00000001
    • Type: 0x00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MRxCls\Enum
    • 0: "Root\LEGACY_MRXCLS\0000"
    • Count: 0x00000001
    • NextInstance: 0x00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MRxNet
    • Description: "MRXNET"
    • DisplayName: "MRXNET"
    • ErrorControl: 0x00000000
    • Group: "Network"
    • ImagePath: "%system%\Drivers\mrxnet.sys"
    • Start: 0x00000001
    • Type: 0x00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MRxNet\Enum
    • 0: "Root\LEGACY_MRXNET\0000"
    • Count: 0x00000001
    • NextInstance: 0x00000001

Additional files that may be observed on the system include:

s7otbxsx.dll - This is a malicious wrapper for a legitimate Siemens file. This DLL is used to intercept calls to legit function. The wrapper passed control to its code before transferring control back to the original DLL and invoked function

Network connections to the following may be observed:


All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Initial infection via USB key that have .lnk files exploiting CVE-2010-2568
Prescence of the afore mentioned Registry Keys and files