Home / malware

PDF

Trojan:Win32/Duqu.B

First posted on 26 October 2011.
Source: SecurityHome

Aliases :

Trojan:Win32/Duqu.B is also known as Worm/Win32.Stuxnet (AhnLab).

Explanation :

Trojan:Win32/Duqu.B is a detection for malicious code that has been injected into running processes, such as "lsass.exe", by Trojan:Win32/Duqu.A.
Top

Trojan:Win32/Duqu.B is a detection for malicious code that has been injected into running processes, such as "lsass.exe", by Trojan:Win32/Duqu.A.

Installation
Trojan:Win32/Duqu.B is injected into running processes, such as "lsass.exe", by Trojan:Win32/Duqu.A. This trojan could create a new instance of the default web browser, as defined by this registry subkey: HKCR\HTTP\SHELL\OPEN\COMMAND\Default The newly launched browser has the same privilege as the Windows shell "explorer.exe" and the trojan may inject additional payload code into the process, detected as Trojan:Win32/Duqu.C. Trojan:Win32/Duqu.B may launch new instances of the following processes and inject payload code into the process:

• %SystemRoot%\system32\lsass.exe
• %SystemRoot%\system32\winlogon.exe
• %SystemRoot%\system32\svchost.exe

Additional InformationFor more information about Trojan:Win32/Duqu.C, see the description elsewhere in the encyclopedia.

Analysis by Shawn Wang

Last update 26 October 2011

 

TOP