|Detected||Jul 12 2010 06:57 GMT|
|Released||Jul 12 2010 15:22 GMT|
|Published||Sep 20 2010 09:31 GMT|
It is a rootkit which is designed to launch malicious code in the user’s system. It is an NT kernel mode driver. It is 26616 bytes in size.
%System%\drivers\mrxcls.sysIn order to ensure that it is launched automatically when the system is rebooted, the rootkit creates the following service registry key:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxCls] "Description"="MRXCLS" "DisplayName"="MRXCLS" "ErrorControl"=dword:00000000 "Group"="Network" "ImagePath"="\\??\\%System%\Drivers\\mrxcls.sys" "Start"=dword:00000001 "Type"=dword:00000001It creates the file:
%System%\drivers\mrxnet.sys– 17400 bytes, defined as Rootkit.Win32.Stuxnet.b
To ensure that it is launched automatically when the system is rebooted, the rootkit creates the following service registry key:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxNet] "Description"="MRXCLS" "DisplayName"="MRXNET" "ErrorControl"=dword:00000000 "Group"="Network" "ImagePath"="\\??\\%System%\Drivers\\mrxnet.sys" "Start"=dword:00000001 "Type"=dword:00000001It also creates the following files:
%windir%\inf\mdmcpq3.pnf - 4633 bytes. %windir%\inf\mdmeric3.pnf - 90 bytes. %windir%\inf\oem6c.pnf - 323848 bytes. %windir%\inf\oem7a.pnf – 498176 bytes.which contain the code and encrypted rootkit data.
The rootkit spreads via removable USB devices exploiting the zero-day vulnerability CVE-2010-2568 in LNK files (for more details see here).
For this purpose the malicious code running in the services.exe process monitors the connection of new USB storage devices to the system and if a connection is detected, creates the following files in the root folder of the device:
~wtr4132.tmp– 513536 bytes, identified as Trojan-Dropper.Win32.Stuxnet.a
~wtr4141.tmp– 25720 bytes, identified as Trojan-Dropper.Win32.Stuxnet.b
These DLL files are downloaded when the vulnerability is exploited and install the rootkit on the system. Together with these files the shortcuts to the vulnerability are placed in the root of the infected disk:
"Copy of Shortcut to.lnk" "Copy of Copy of Shortcut to.lnk" "Copy of Copy of Copy of Shortcut to.lnk" "Copy of Copy of Copy of Copy of Shortcut to.lnk"The files are 4171 bytes in size and are detected as Trojan.WinLnk.Agent.i. The vulnerability will be exploited if the user attempts to view the contents of the removable media’s root directory using the file manager with file icons enabled. Once the vulnerability is exploited the rootkit is activated, which instantaneously hides the malicious files.
The rootkit is designed to inject the malicious code into user mode processes. The rootkit downloads the DLL dynamic library to the following system processes:
svchost.exe services.exe lsass.exeAfter this DLLs are displayed in their module lists with the following names:
kernel32.dll.aslr. shell32.dll.aslr.Where rnd stands for a random hexadecimal number. The code being injected is contained in the file:
%WinDir%\inf\oem7A.PNFIt is encrypted.
The injected code contains the main functionality of this malicious program. This includes:
s7_event s7ag_bub_cycl_read_create s7ag_bub_read_var s7ag_bub_write_var s7ag_link_in s7ag_read_szl s7ag_test s7blk_delete s7blk_findfirst s7blk_findnext s7blk_read s7blk_write s7db_close s7db_open s7ag_bub_read_var_seg s7ag_bub_write_var_segcollecting various information on the work of the system.
MCPTPROJECT MCPTVARIABLEDESC MCPVREADVARPERCON It collects information from files with the extensions: *.S7P *.MCP *.LDFwhich are created using Siemens Step7. The entire computer hard drive is searched for the files.
If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:
%System%\drivers\mrxnet.sys %System%\drivers\mrxcls.sys %windir%\inf\mdmcpq3.pnf %windir%\inf\mdmeric3.pnf %windir%\inf\oem6c.pnf %windir%\inf\oem7a.pnf
"Copy of Shortcut to.lnk" "Copy of Copy of Shortcut to.lnk" "Copy of Copy of Copy of Shortcut to.lnk" "Copy of Copy of Copy of Copy of Shortcut to.lnk" ~wtr4132.tmp ~wtr4141.tmp
This type of malicious program is designed to conceal certain objects or activities in the system. Registry keys (those used to automatically launch malicious objects, for example), files, folders, and processes in the memory of an infected computer, as well as malicious network activity, can all be hidden.
Rootkits themselves have any malicious payload but in most cases, this type of program is used to prevent malicious programs from being detected and extend the length of time that they run on an infected computer.