With Knowledge, We Can Do Anything Easily



Detected Jul 12 2010 07:57 GMT

Released Jul 12 2010 16:22 GMT

Published Sep 20 2010 12:28 GMT

Technical Details

This rootkit is designed to conceal malicious program files. It is an NT kernel mode driver. It is 17400 bytes in size.


The rootkit copies its executable file as:


To ensure that it is launched automatically when the system is rebooted, the rootkit creates the following service registry key:



During the launch process the rootkit driver connects as a filter driver to the following file system devices:


and thus gains control of the file system of the infected computer. The rootkit hides files with the names:

~WTR.tmp, where rnd is a random four-digit number

For example:


Files with LNK extensions which are 4171 bytes in size are also hidden. The rootkit file is signed with the digital signature of Realtek Semiconductor Corp.

It contains the following string:


Removal instructions

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

  1. Delete the original rootkit file (the location will depend on how the program originally penetrated the victim machine).
  2. Delete the system registry key:
  3. Delete the following file:
  4. Reboot the computer
  5. Update your antivirus databases and perform a full scan of the computer

(Dikutip dari http://www.securelist.com/en/descriptions/15071648/Rootkit.Win32.Stuxnet.b tanpa terjemahan)

%d bloggers like this: