Sunday, November 14, 2010


It is a rootkit which is designed to launch malicious code in the user’s system. It is an NT kernel mode driver. It is 26616 bytes in size.


The rootkit copies its executable file as:

In order to ensure that it is launched automatically when the system is rebooted, the rootkit creates the following service registry key:


It creates the file:


– 17400 bytes, defined as Rootkit.Win32.Stuxnet.b

To ensure that it is launched automatically when the system is rebooted, the rootkit creates the following service registry key:


It also creates the following files:

%windir%\inf\mdmcpq3.pnf - 4633 bytes.
%windir%\inf\mdmeric3.pnf - 90 bytes.
%windir%\inf\oem6c.pnf - 323848 bytes.
%windir%\inf\oem7a.pnf – 498176 bytes.
which contain the code and encrypted rootkit data.

The rootkit spreads via removable USB devices exploiting the zero-day vulnerability CVE-2010-2568 in LNK files (for more details see here).

For this purpose the malicious code running in the services.exe process monitors the connection of new USB storage devices to the system and if a connection is detected, creates the following files in the root folder of the device:

– 513536 bytes, identified as Trojan-Dropper.Win32.Stuxnet.a

– 25720 bytes, identified as Trojan-Dropper.Win32.Stuxnet.b

These DLL files are downloaded when the vulnerability is exploited and install the rootkit on the system. Together with these files the shortcuts to the vulnerability are placed in the root of the infected disk:

"Copy of Shortcut to.lnk"
"Copy of Copy of Shortcut to.lnk"
"Copy of Copy of Copy of Shortcut to.lnk"
"Copy of Copy of Copy of Copy of Shortcut to.lnk"

The files are 4171 bytes in size and are detected as Trojan.WinLnk.Agent.i. The vulnerability will be exploited if the user attempts to view the contents of the removable media’s root directory using the file manager with file icons enabled. Once the vulnerability is exploited the rootkit is activated, which instantaneously hides the malicious files.

The rootkit is designed to inject the malicious code into user mode processes. The rootkit downloads the DLL dynamic library to the following system processes:


After this DLLs are displayed in their module lists with the following names:

Where rnd stands for a random hexadecimal number. The code being injected is contained in the file:

It is encrypted.

The injected code contains the main functionality of this malicious program. This includes:

• Propagation via removable media.
• Monitoring of the Siemens Step7 system. For this purpose the rootkit driver injects its intermediary library to the s7tgtopx.exe process instead of the original s7otbxsx.dll, which emulates the work of the following API functions:
• s7_event
• s7ag_bub_cycl_read_create
• s7ag_bub_read_var
• s7ag_bub_write_var
• s7ag_link_in
• s7ag_read_szl
• s7ag_test
• s7blk_delete
• s7blk_findfirst
• s7blk_findnext
• s7blk_read
• s7blk_write
• s7db_close
• s7db_open
• s7ag_bub_read_var_seg
• s7ag_bub_write_var_seg
collecting various information on the work of the system.
• Performing SQL requests. The rootkit receives a list of computers in the local network and checks if the Microsoft SQL server, which services the visualization system for Siemens WinCC operational processes, is launched on any of them. If the server is found, the malware attempts to log in to the database using the WinCCConnect/2WSXcder username and password and then tries to acquire data from the following tables:

• It collects information from files with the extensions:
• *.S7P
• *.MCP
• *.LDF

which are created using Siemens Step7. The entire computer hard drive is searched for the files.

• It sends the collected data via the Internet to the cybercriminals’ servers in encrypted format.

The rootkit file is signed with the digital signature of Realtek Semiconductor Corp.

Remove Virus

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

1. Delete the original rootkit file (the location will depend on how the program originally penetrated the victim machine).
2. Delete the system registry keys
3. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxNet]
4. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxCls]
5. Delete the following files:
6. %System%\drivers\mrxnet.sys
7. %System%\drivers\mrxcls.sys
8. %windir%\inf\mdmcpq3.pnf
9. %windir%\inf\mdmeric3.pnf
10. %windir%\inf\oem6c.pnf
11. %windir%\inf\oem7a.pnf
12. Reboot the computer
13. Disable the display of icons in the file manager to avoid repeated infection.
14. Delete the following files from removable media if there are any:
15. "Copy of Shortcut to.lnk"
16. "Copy of Copy of Shortcut to.lnk"
17. "Copy of Copy of Copy of Shortcut to.lnk"
18. "Copy of Copy of Copy of Copy of Shortcut to.lnk"
19. ~wtr4132.tmp
20. ~wtr4141.tmp

No comments: