Home / malware Trojan:WinNT/Stuxnet.B
First posted on 17 July 2010.
Source: SecurityHomeAliases :
Trojan:WinNT/Stuxnet.B is also known as VirTool:WinNT/Rootkitdrv.HK (Microsoft), Win32/Rootkit.Agent.NTK (ESET).
Explanation :
Trojan:WinNT/Stuxnet.B is a trojan component that loads other malware and is installed by TrojanDropper:Win32/Stuxnet.A.
Top
Trojan:WinNT/Stuxnet.B is a trojan component that loads other malware and is installed by TrojanDropper:Win32/Stuxnet.A.. InstallationTrojan:WinNT/Stuxnet.B may be present as the following file: <system folder>\Drivers\MRXNET.sys Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32. The trojan component runs as a hidden service named "MRXNET" via a registry modification as in the following example: Sets value: "Description"With data: "MRXNET"Sets value: "DisplayName"With data: "MRXNET"Sets value: "ErrorControl"With data: "0"Sets value: "Group"With data: "Network"Sets value: "ImagePath"With data: "\??\%windir%\system32\Drivers\mrxnet.sys"Sets value: "Start"With data: "1"Sets value: "Type"With data: "1"In subkey: HKLM\SYSTEM\CurrentControlSet\Services\MRxNet Payload Loads other malwareTrojan:WinNT/Stuxnet.B is capable of loading and executing files having certain characteristics, for example, it parses and loads the following:
~wtr4132.tmp - copy of TrojanDropper:Win32/Stuxnet.A
Analysis by Francis Allan Tan SengLast update 17 July 2010
