W32.Stuxnet
W32.Stuxnet is a worm that propagates on USB removable media drives by taking advantage of ”Microsoft Windows Shortcut ‘LNK’ Files Automatic File Execution Vulnerability”. Various modifications on the computer will be implemented by W32.Stuxnet and create its own running service to start automatically with Windows.
Technical Information:
Alias:Troj/Stuxnet-A, W32/Stuxnet-B, W32.Temphid, WORM_STUXNET.A, Win32/Stuxnet.B, Trojan-Dropper:W32/Stuxnet, Stuxnet
Damage Level: Medium
Systems Affected: Windows 9x, 2000, XP, Vista, Windows 7
Manual Removal of W32.Stuxnet:
1. Temporarily Disable System Restore (Windows Me/XP/Vista/7) . [how to]
2. Update the virus definitions.
3. Restart Windows in SafeMode [how to]
4. Run a full system scan and clean/delete all infected file(s)
5. Locate and stop the service:
- Click Start > Run.
- Type services.msc, and then click OK.
- Locate and select the service that was detected.
Display Name: MRXCLS
Startup Type: Automatic
Image Path: %System%\drivers\mrxcls.sys
Display Name: MRXNET
Startup Type: Automatic
Image Path: %System%\drivers\mrxnet.sys
- Click Action > Properties.
- Click Stop.
- Change Startup Type to Manual.
- Click OK and close the Services window.
- Reboot the computer.
6. Delete/Modify any values added to the registry show below. [how to edit registry]
7. Exit registry editor and restart Windows.
Online Virus Scanner:
Another way to remove a virus without the need to install additional anti-virus application is to perform a thorough scan with free Online Virus Scanner that can be found here or on websites of legitimate anti-virus and security provider.
Technical Details and Additional Information:
Malicious Files Added by W32.Stuxnet:
%System%\drivers\mrxcls.sys
%System%\drivers\mrxnet.sys
%DriveLetter%\~WTR4132.tmp
%DriveLetter%\~WTR4141.tmp
%DriveLetter%\Copy of Shortcut to.lnk
%DriveLetter%\Copy of Copy of Shortcut to.lnk
%DriveLetter%\Copy of Copy of Copy of Shortcut to.lnk
%DriveLetter%\Copy of Copy of Copy of Copy of Shortcut to.lnk
Associated Windows Registry Entries:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxCls\”ImagePath” = “%System%\drivers\mrxcls.sys”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxNet\”ImagePath” = “%System%\drivers\mrxnet.sys”
Joko Santoso
Aug 02, 2010 @ 22:51:37
Thanks for this useful information, my PC is also infected by this varian,
there is also file fanny.bmp located on my USB, caused by this virus.
Rafael
Sep 30, 2010 @ 17:10:25
Hi, I want to know what happend with PLC´s? This virus only attack PLC siemens? Thanks.