Home / malware Trojan:Win32/Duqu.A
First posted on 26 October 2011.
Source: SecurityHomeAliases :
Trojan:Win32/Duqu.A is also known as Worm/Win32.Stuxnet (AhnLab), TR/Dropper.Gen (Avira), PWS-Duqu (McAfee).
Explanation :
Trojan:Win32/Duqu.A is a trojan that injects malicious code into other processes. The trojan itself is injected into other processes by Trojan:WinNT/Duqu.A.
Top
Trojan:Win32/Duqu.A is a trojan that injects malicious code into other processes. The trojan itself is injected into other processes by Trojan:WinNT/Duqu.A.
Installation
Trojan:Win32/Duqu.A is installed by Trojan:WinNT/Duqu.A and may be present as one of the following files:Trojan:Win32/Duqu.A is injected into other processes, such as "services.exe", by WinNT/Duqu.A. Trojan:Win32/Duqu.A attempts to identify if any of the following processes are active:
- %systemroot%\inf\netp191.PNF
- %systemroot%\inf\cmi4432.PNF
If the listed process and associated files and registry data are not present, the trojan launches a process from a pre-defined list of processes, such as "lsass.exe", and injects malicious code into the newly launched process. The injected code is detected as Trojan:Win32/Duqu.B.Additional InformationFor more information about Trojan:Win32/Duqu.B, see the description elsewhere in the encyclopedia.
- avp.exe
- mcshield.exe
- avguard.exe
- bdagent.exe
- umxcfg.exe
- fsdfwd.exe
- rtvscan.exe
- ccSvcHst.exe
- ekrn.exe
- tmproxy.exe
- RavMonD.exe
Analysis by Shawn WangLast update 26 October 2011
