Home / malware Trojan:WinNT/Stuxnet.A
First posted on 17 July 2010.
Source: SecurityHomeAliases :
Trojan:WinNT/Stuxnet.A is also known as Win32/PcClient.ACH (CA).
Explanation :
Trojan:WinNT/Stuxnet.A is a trojan component installed by TrojanDropper:Win32/Stuxnet.A that injects code into the running process LSASS.EXE.
Top
Trojan:WinNT/Stuxnet.A is a trojan component installed by TrojanDropper:Win32/Stuxnet.A that injects code into the running process LSASS.EXE. InstallationTrojan:WinNT/Stuxnet.A may be present as the following file: <system folder>\Drivers\mrxcls.sys Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32. The trojan component runs as a hidden service named "MRXCLS" via a registry modification as in the following example: Sets value: "Description"With data: "MRXCLS"Sets value: "DisplayName"With data: "MRXCLS"Sets value: "ErrorControl"With data: "0"Sets value: "Group"With data: "Network"Sets value: "ImagePath"With data: "\??\%windir%\system32\Drivers\mrxcls.sys"Sets value: "Start"With data: "1"Sets value: "Type"With data: "1"Sets value: "Data"With data: "<hexadecimal values>"In subkey: HKLM\SYSTEM\CurrentControlSet\Services\MRxCls Payload Injects codeTrojan:WinNT/Stuxnet.A is capable of injecting malicious code into the running process "LSASS.EXE" based on data written in the registry or from other TrojanDropper:Win32/Stuxnet.A components such as the following: %windir%\inf\mdmcpq3.pnf
%windir%\inf\mdmeric3.pnf
%windir%\inf\oem6c.pnf
%windir%\inf\oem7a.pnf
Analysis by Francis Allan Tan SengLast update 17 July 2010
