Rootkit.Win32.Stuxnet.a

Technical Details
Payload
Removal instructions

Technical Details

It is a rootkit which is designed to launch malicious code in the user’s system. It is an NT kernel mode driver. It is 26616 bytes in size.

Installation

The rootkit copies its executable file as:

%System%\drivers\mrxcls.sys

In order to ensure that it is launched automatically when the system is rebooted, the rootkit creates the following service registry key:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxCls]
"Description"="MRXCLS"
"DisplayName"="MRXCLS"
"ErrorControl"=dword:00000000
"Group"="Network"
"ImagePath"="\\??\\%System%\Drivers\\mrxcls.sys"
"Start"=dword:00000001
"Type"=dword:00000001

It creates the file:

%System%\drivers\mrxnet.sys

– 17400 bytes, defined as Rootkit.Win32.Stuxnet.b

To ensure that it is launched automatically when the system is rebooted, the rootkit creates the following service registry key:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxNet]
"Description"="MRXCLS"
"DisplayName"="MRXNET"
"ErrorControl"=dword:00000000
"Group"="Network"
"ImagePath"="\\??\\%System%\Drivers\\mrxnet.sys"
"Start"=dword:00000001
"Type"=dword:00000001

It also creates the following files:

%windir%\inf\mdmcpq3.pnf  - 4633 bytes.
%windir%\inf\mdmeric3.pnf  - 90 bytes.
%windir%\inf\oem6c.pnf  - 323848 bytes.
%windir%\inf\oem7a.pnf – 498176 bytes.

which contain the code and encrypted rootkit data.

Propagation

The rootkit spreads via removable USB devices exploiting the zero-day vulnerability CVE-2010-2568 in LNK files (for more details see here).

For this purpose the malicious code running in the services.exe process monitors the connection of new USB storage devices to the system and if a connection is detected, creates the following files in the root folder of the device:

~wtr4132.tmp

– 513536 bytes, identified as Trojan-Dropper.Win32.Stuxnet.a

~wtr4141.tmp

– 25720 bytes, identified as Trojan-Dropper.Win32.Stuxnet.b

These DLL files are downloaded when the vulnerability is exploited and install the rootkit on the system. Together with these files the shortcuts to the vulnerability are placed in the root of the infected disk:

"Copy of Shortcut to.lnk" 
"Copy of Copy of Shortcut to.lnk" 
"Copy of Copy of Copy of Shortcut to.lnk" 
"Copy of Copy of Copy of Copy of Shortcut to.lnk"

The files are 4171 bytes in size and are detected as Trojan.WinLnk.Agent.i. The vulnerability will be exploited if the user attempts to view the contents of the removable media’s root directory using the file manager with file icons enabled. Once the vulnerability is exploited the rootkit is activated, which instantaneously hides the malicious files.

Payload

The rootkit is designed to inject the malicious code into user mode processes. The rootkit downloads the DLL dynamic library to the following system processes:

svchost.exe
services.exe
lsass.exe

After this DLLs are displayed in their module lists with the following names:

kernel32.dll.aslr.
shell32.dll.aslr.

Where rnd stands for a random hexadecimal number. The code being injected is contained in the file:

%WinDir%\inf\oem7A.PNF

It is encrypted.

The injected code contains the main functionality of this malicious program. This includes:

• Propagation via removable media.
• Monitoring of the Siemens Step7 system. For this purpose the rootkit driver injects its intermediary library to the s7tgtopx.exe process instead of the original s7otbxsx.dll, which emulates the work of the following API functions:

  s7_event
  s7ag_bub_cycl_read_create
  s7ag_bub_read_var
  s7ag_bub_write_var
  s7ag_link_in
  s7ag_read_szl
  s7ag_test
  s7blk_delete
  s7blk_findfirst
  s7blk_findnext
  s7blk_read
  s7blk_write
  s7db_close
  s7db_open
  s7ag_bub_read_var_seg
  s7ag_bub_write_var_seg
  

  collecting various information on the work of the system.
• Performing SQL requests. The rootkit receives a list of computers in the local network and checks if the Microsoft SQL server, which services the visualization system for Siemens WinCC operational processes, is launched on any of them. If the server is found, the malware attempts to log in to the database using the WinCCConnect/2WSXcder username and password and then tries to acquire data from the following tables:

  MCPTPROJECT
  MCPTVARIABLEDESC
  MCPVREADVARPERCON
  It collects information from files with the extensions: 
  *.S7P
  *.MCP
  *.LDF
  

  which are created using Siemens Step7. The entire computer hard drive is searched for the files.
• It sends the collected data via the Internet to the cybercriminals’ servers in encrypted format.

The rootkit file is signed with the digital signature of Realtek Semiconductor Corp.

Removal instructions

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

1. Delete the original rootkit file (the location will depend on how the program originally penetrated the victim machine).
2. Delete the system registry keys

   [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxNet]
   [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxCls]
   

3. Delete the following files:

   %System%\drivers\mrxnet.sys
   %System%\drivers\mrxcls.sys
   %windir%\inf\mdmcpq3.pnf 
   %windir%\inf\mdmeric3.pnf
   %windir%\inf\oem6c.pnf 
   %windir%\inf\oem7a.pnf
   

4. Reboot the computer
5. Disable the display of icons in the file manager to avoid repeated infection.
6. Delete the following files from removable media if there are any:

   "Copy of Shortcut to.lnk" 
   "Copy of Copy of Shortcut to.lnk" 
   "Copy of Copy of Copy of Shortcut to.lnk" 
   "Copy of Copy of Copy of Copy of Shortcut to.lnk"
   ~wtr4132.tmp
   ~wtr4141.tmp
   

7. Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).