W32.Stuxnet

W32.Stuxnet is a worm that propagates on USB removable media drives by taking advantage of “Microsoft Windows Shortcut ‘LNK’ Files Automatic File Execution Vulnerability”. Various modifications on the computer will be implemented by W32.Stuxnet. It also creates its own running service to start automatically with Windows.

Alias:Troj/Stuxnet-A, W32/Stuxnet-B, W32.Temphid, WORM_STUXNET.A, Win32/Stuxnet.B, Trojan-Dropper:W32/Stuxnet, Stuxnet

Damage Level: Medium

Systems Affected: Windows 9x, 2000, XP, Windows Vista/7

Characteristics
When executed, W32.Stuxnet creates a number of files on System and Windows folder. It also drops some files onto removable and network shared drives. To gain instant start-up, W32.Stuxnet will add some entries into the registry. It also registers some services for the same purpose.
If W32.Stuxnet is running on the computer, it carries out actions that may be harmful to the system. The worm may connect to a remote server to download more threats. It also gathers some data from the PC and uploads it to specified server.

Distribution
W32.Stuxnet spreads via removal media drives. It is not a typical USB worm and does not utilized the autorun function of Windows. Instead, this worm attempts to exploit the “Microsoft Windows Shortcut ‘LNK’ Files Automatic File Execution Vulnerability” in order to deploy a copy. Executing icons of affected programs runs the file that the worm have dropped on the removable drive and will become memory resident. W32.Stuxnet also applies the same method to spread a copy on network-shared drives where the infected computer is linked.

W32.Stuxnet detection

How to Remove W32.Stuxnet

Systematic procedures to get rid of the threat are presented on this section. Make sure to scan the computer with suggested tools and scanners.

NOTE: We suggest that you PRINT or BOOKMARK this guide. There are steps that we may have to restart the computer in order to successfully remove the threat.

Optional : Scan and remove W32.Stuxnet with this special tool

1. Temporarily Disable System Restore if you are running Windows XP.
2. Update the virus definitions.
3. Restart Windows in Safe Mode.
4. Run a full system scan and clean/delete all infected files.
5. Locate and stop the service: - Click Start > Run.
- Type services.msc, and then click OK.
- Locate and select the service that was detected.

Display Name: MRXCLS
Startup Type: Automatic
Image Path: %System%\drivers\mrxcls.sys

Display Name: MRXNET
Startup Type: Automatic
Image Path: %System%\drivers\mrxnet.sys

Click Action > Properties.
- Click Stop.
- Change Startup Type to Manual.
- Click OK and close the Services window.
- Reboot the computer.

6. Delete/Modify any values added to the registry show below. [how to edit registry]
7. Exit registry editor and restart Windows.
8. In order to completely remove the threat, it is best to download and run Malwarebytes Anti-Malware. Sometimes, Trojans will block the downloading and installation of MBAM. If this happens, download it from a clean computer and rename the executable file before executing on the infected machine.

Step 1 : Run a scan with your antivirus program

1. Remove all media such as Memory Card, cd, dvd, and USB devices. Then, restart the computer and please do the following:

Boot in Safe Mode on Windows XP, Windows Vista, and Windows 7 system
a) Before Windows begins to load, press F8 on your keyboard.
b) It will display the Advanced Boot Options menu. Select Safe Mode.

Start computer in Safe Mode using Windows 8 and Windows 10
a) Close any running programs on your computer.
b) Get ready to Start Windows. On your keyboard, Press and Hold Shift key and then, click on Restart button.
c) It will prompt you with options, please click on Troubleshoot icon.
d) Under Troubleshoot window, select Advanced Options.
e) On next window, click on Startup Settings icon.
f) Lastly, click on Restart button on subsequent window.
g) When Windows restarts, present startup options with numbers 1 - 9. Select "Enable Safe Mode with Networking" or number 5.

Startup Options

h) Windows will now boot on Safe Mode with Networking. Proceed with virus scan as the next step.

2. Once Windows is running under Safe Mode with Networking, open your antivirus program and download the most recent update. This method ensures that your antivirus program can detect even newer variants of W32.Stuxnet.

Updating your antivirus software is a one-click process. Please refer to your software manual for complete instructions.

3. Once updating is finished, run a full system scan on the affected PC. After the scan, delete all infected items. If unable to clean or delete, better place the threat in quarantine.

Step 2: Run another test with online virus scanner

Another way to remove W32.Stuxnet without the need to install additional antivirus software is to perform a thorough scan with free online virus scanner. It can be found on websites of legitimate antivirus and security provider.

1. Click the button below to proceed to the list of suggested Online Virus Scanner. Choose your desired provider. You can run each scan individually, one at a time, to ensure that all threats will be removed from the computer. This may require plug-ins, add-on or Activex object, please install if you want to proceed with scan.

Online Virus Scan

2. After completing the necessary download, your system is now ready to scan and remove W32.Stuxnet and other kinds of threats.
3. Select an option in which you can thoroughly scan the computer to make sure that it will find and delete entirely all infections not detected on previous scan.
4. Remove or delete all detected items.
5. When scanning is finished, you may now restart the computer in normal mode.

Alternative Removal Procedures for W32.Stuxnet

Option 1 : Use Windows System Restore to return Windows to previous state

During an infection, W32.Stuxnet drops various files and registry entries. The threat intentionally hides system files by setting options in the registry. With these rigid changes, the best solution is to return Windows to previous working state is through System Restore.

To verify if System Restore is active on your computer, please follow the instructions below to access this feature.

Access System Restore on Windows XP, Windows Vista, and Windows 7

a) Go to Start Menu, then under 'Run' or 'Search Program and Files' field, type rstrui.
b) Then, press Enter on the keyboard to open System Restore Settings.

rstrui-win7

Open System Restore on Windows 8

a) Hover your mouse cursor to the lower left corner of the screen and wait for the Start icon to appear.
b) Right-click on the icon and select Run from the list. This will open a Run dialog box.
c) Type rstrui on the 'Open' field and click on OK to initiate the command.

rstrui-win8

If previous restore point is saved, you may proceed with Windows System Restore. Click here to see the full procedure.

Option 2 : W32.Stuxnet manual uninstall guide

IMPORTANT! Manual removal of W32.Stuxnet requires technical skills. Deleting system files and registry entries by mistake may result to total disability of Windows system. We advise you to perform a backup of registry before proceeding with this guide.

1. Kill any running process that belongs to W32.Stuxnet.

- Press Ctrl+Alt+Del on your keyboard.
- When Windows Task Manager appears, look for W32.Stuxnet files (refer to Technical Reference) and click End Process.

End Task

2. Delete all registry entries that belong to this malware.

- Press [Windows Key]+R on your keyboard.
- In the 'Open' dialog box, type regedit and press Enter. This will open registry editor.
- Find and delete the following:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[random charaters.exe]"
- Close registry editor. Changes made will be save automatically.

Run Regedit

3. Scan the computer with antivirus program.

- Connect to Internet and open your antivirus software. Please update to obtain the latest database and necessary files.
- Restart the computer in Safe Mode using the procedures above.
- Open your anti-virus program and thoroughly run a scan on the computer. Delete/Quarantine all identified threats to remove W32.Stuxnet effectively.

4. Delete all files dropped by W32.Stuxnet.

- While still in Safe Mode, search and delete malicious files. Please refer to 'Technical Reference'. Make sure that you execute 'End Task' first before deleting the file. Otherwise, the system will not let you perform this action.

Associated Files and Folders:Added Registry Entries:

Ways to Prevent W32.Stuxnet Infection

Take the following steps to protect the computer from threats. Suggested tools and security setup within installed software helps prevent the same attack on your PC.

Install an effective anti-malware program

Your first line of defense would be an effective security program that provides real-time protection. We have a list of anti-malware program that are tried and tested. It does not only scan files but also monitors your Internet traffic and is extremely active on blocking malicious communication. Click on the button below to download our recommended anti-malware program.

Get Protection Software

Always update your installed software

Software vendors constantly releases updates for programs whenever a flaw is discovered. Getting the updates makes the computer more secured and help prevents Trojan, virus, malware, and W32.Stuxnet similar attacks. If in case your program is not set for instant update, it usually offered from vendor's web site, which you can download anytime.

Maximize the security potential of your Internet browser

Each browser has their own feature where in you can adjust the security settings that fit your browsing habit. We highly encourage you to maximize the setup to tighten the security of your browser.

Apply full caution when using the Internet

Internet is full of fraud, malware, and many forms of computer threats including W32.Stuxnet. Implement full caution with links that you may receive from emails, social networking sites, and instant messaging programs. It might lead you to malicious sites that can cause harm to your computer. Avoid strange web sites that offers free services and software downloads.

2 Responses

  1. Joko Santoso says:

    Thanks for this useful information, my PC is also infected by this varian,
    there is also file fanny.bmp located on my USB, caused by this virus.

  2. Rafael says:

    Hi, I want to know what happend with PLC´s? This virus only attack PLC siemens? Thanks.

Leave a Reply

Your email address will not be published. Required fields are marked *