Home / malware

PDF

Trojan:WinNT/Duqu.A

First posted on 26 October 2011.
Source: SecurityHome

Aliases :

Trojan:WinNT/Duqu.A is also known as PWS-Duqu!rootkit (McAfee).

Explanation :

Trojan:WinNT/Duqu.A is a malware component of Win32/Duqu, a trojan that allows unauthorized remote access and control of an affected computer. This trojan component injects payload instructions, detected as Trojan:Win32/Duqu.A, into other processes.
Top

Trojan:WinNT/Duqu.A is a malware component of Win32/Duqu, a trojan that allows unauthorized remote access and control of an affected computer. This trojan component injects payload instructions, detected as Trojan:Win32/Duqu.A, into other processes.

Installation
Trojan:WinNT/Duqu.A may be installed as a device driver named "JmiNET3.sys" or "cmi4432.sys" and loads as a service at each Windows start. Trojan:WinNT/Duqu.A creates the following devices:

• \Device\{3093AAZ3-1092-2929-9391}
• \Device\Gpd1

Payload
Injects malware into other processes Trojan:WinNT/Duqu.A reads encrypted configuration data from specific registry subkeys that contains the following information

• list of target process names, such as "services.exe", used by the trojan to inject malicious code
• path of the payload file used to inject into processes

The malware was observed to read data from the following registry subkeys:

• HKLM\SYSTEM\CurrentControlSet\Services\JmiNET3\FILTER
• HKLM\SYSTEM\CurrentControlSet\Services\cmi4432\FILTER

The following are examples of file names containing the payload code, detected as Trojan:Win32/Duqu.A:

• %systemroot%\inf\netp191.PNF
• %systemroot%\inf\cmi4432.PNF

Additional InformationFor more information about Trojan:Win32/Duqu.A, see the description elsewhere in the encyclopedia.

Analysis by Shawn Wang

Last update 26 October 2011

 

TOP