W32.Duqu
W32.Duqu is a Trojan used by an attacker to install info-stealer on the target machine. It aims to gather sensitive data from recorded key strokes.
W32.Duqu is a remote access Trojan (RAT) that believes to be a part of Stuxnet family. The two threats are almost identical in terms of source code but W32.Duqu is absolutely has different objective. Main purpose of W32.Duqu is to gather data about industrial control systems commonly used in vital infrastructure like product manufacturers, power plants, treatment amenities and chemical factories.
Also Detected As: TROJ_SHADOW.AF, Trojan-Duqu
Damage Level: Medium
Systems Affected: Windows 9x, 2000, XP, Windows Vista, Windows 7
Characteristics
This Trojan has backdoor capability that may allow a remote attacker to gain unauthorized access on infected computer. It will also gather the following data that will be use to stage another future attack on the same system:
- List of running processes on affected unit
- Account details such as user name and passwords
- Hard drive identification and related information, this includes network shared drives
- Network records like interfaces, shared resources lists, routing tables and IP addresses
- Logs keys strokes and record screen shots
The Trojan sends these collected data to an specified remote command and control (C&C) server using HTTP and HTTPS protocol.
Distribution
It is still unclear how W32.Duqu attacks and infects a system. However, security experts are certain that this Trojan do not reproduce on its own. After infecting the machine, it will expire after 36 days on voluntarily deletes itself.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\JmiNET3 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmi4432Associated Files and Folders:
%System%\drivers\jminet7.sys %System%\drivers\cmi4432.sys %System%\drivers\nfred95.sys %System%\drivers\nred961.sys %Windir%\inf\cmi4432.pnf %Windir%\inf\cmi4464.PNF %Windir%\inf\netp191.PNF
How to Remove W32.Duqu
1. Temporarily Disable System Restore (Windows Me/XP). [how to]
2. To be able to identify even the most recent variant of W32.Duqu, open your antivirus application and update the virus definition file.
3. Start Windows in Safe Mode with Networking.
- From a power-off state, turn on the computer and press F8 on your keyboard repeatedly.
- Your computer will display Windows Advanced Boot Options menu. Please select Safe Mode with Networking.
- The system will now boot Windows and loads only necessary drivers and files.
4. Open your antivirus program and run a full system scan. After the scan, delete all infected items. If unable to delete, better place them in quarantine. Once the scan is complete, please proceed with the next step.
Scan with Norton Power Eraser:
Free tool from Symantec called Norton Power Eraser provides deep scanning technology to detect and remote threats like W32.Duqu. NPE targets and eliminate threats that regular virus scan fails to identify. Download NPE here.
Important! Because of Norton Power Eraser’s aggressive method, it can select even legitimate files as suspicious. Please use this tool very carefully.