Rootkit.Win32.Stuxnet.a

Rootkit.Win32.Stuxnet.a is a detection for Trojan that belongs to Stuxnet family. This type of infection is spreading very fast around the world by exploiting software vulnerabilities found on target computer. Rootkit.Win32.Stuxnet.a utilizes a new method of propagation that was developed to take advantage of specially-crafted short-cut files placed on USB drives to automatically execute the Trojan when the drive is accessed.

Alias: Rootkit.Stuxnet.A, Rootkit.Stuxnet, Win32/Stuxnet.A, Backdoor/Win32.Stuxnet, Trojan.Stuxnet.1, W32/Stuxnet.A!tr.rkit,  W32/Stuxnet.D

Damage Level: Medium

Systems Affected: Windows 9x, 2000, XP, Vista, Windows 7

How to Remove Rootkit.Win32.Stuxnet.a:

FIRST AID TO STOP Rootkit.Win32.Stuxnet.a:
If this dangerous Trojan have infected the system, registry and legitimate Windows files are also compromised. System Restore can reinstate clean system files by restoring the configuration to an earlier date. If a restore point was created before you got infected with Rootkit.Win32.Stuxnet.a, please restore Windows to previous configuration.

MANUAL REMOVAL OF Rootkit.Win32.Stuxnet.a:
1. Update installed anti-virus application to have the latest definition file.
2. Reboot Windows in Safe Mode
– After turning on the power, press F8 on the keyboard.
– Select Safe Mode from the menu.

3. Thoroughly scan the system and clean/delete all infected file(s). Please see below.
4. Delete/Modify any values added to the registry if present. Refer to associated Windows Registry Entries.
– Click on Start. Search or Run regedit.exe to begin registry editor.

Note: You may refer to links on sidebar for a complete tutorial on Safe Mode and Registry Editor.

5. Exit registry editor and restart Windows.

ADDITIONAL TOOLS AND PROGRAMS:

Scan with Portable Antivirus:
Most of the time, Trojan associated with a rogue program will disable Windows functionalities and prevent the compromised computer from executing any application including antivirus program locally installed. If this happens, you can try using a McAfee Portable Antivirus called Stinger. You can download it for free.

Kaspersky Bootable USB Flash Drive
A tool from Kaspersky will allow you to create a bootable virus scanner that can be run from any computer. This can be boot and run from media drives such as CD, DVD or USB Flash Drive. Download and follow the procedures here.

Technical Details and Additional Information:

Other functionalities of this Virus:
– This rootkit Trojan will spread via removable USB devices.
– Rootkit.Win32.Stuxnet.a will exploit the zero-day vulnerability CVE-2010-2568 in LNK files to infect a system.
– It was designed to inject malicious code into user mode process.

Malicious Files Added by Rootkit.Win32.Stuxnet.a:
%System%\drivers\mrxnet.sys
%System%\drivers\mrxcls.sys
%windir%\inf\mdmcpq3.pnf
%windir%\inf\mdmeric3.pnf
%windir%\inf\oem6c.pnf
%windir%\inf\oem7a.pnf

File Location for Windows Versions:

  • %System% for all versions of Windows is located under C:\Windows\System32.
  • %Windir% refers to the installation folder of the operating system.

Associated Windows Registry Entries:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxNet] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxCls]

Alternative Removal Method for Rootkit.Win32.Stuxnet.a

Option 1 : Use Windows System Restore to return Windows to previous state

If Rootkit.Win32.Stuxnet.a enters the computer, there is a big chance that Windows files, registry entries and other essential components are also infected. System Restore can reinstate clean system files by restoring the configuration to an earlier date. The method also replaces compromised files with a clean version. If you have a saved restore point before Rootkit.Win32.Stuxnet.a infiltrates the PC, we highly encourage you to execute this procedure if none of the above works. You may proceed with Windows System Restore, click here to see the full procedure.