With Knowledge, We Can Do Anything Easily

Rootkit.Win32.Stuxnet.b

 

Detected Jul 12 2010 07:57 GMT

Released Jul 12 2010 16:22 GMT

Published Sep 20 2010 12:28 GMT

Technical Details

This rootkit is designed to conceal malicious program files. It is an NT kernel mode driver. It is 17400 bytes in size.

Installation

The rootkit copies its executable file as:

%System%\drivers\mrxnet.sys

To ensure that it is launched automatically when the system is rebooted, the rootkit creates the following service registry key:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxNet]
"Description"="MRXCLS"
"DisplayName"="MRXNET"
"ErrorControl"=dword:00000000
"Group"="Network"
"ImagePath"="\\??\\%System%\Drivers\\mrxnet.sys"
"Start"=dword:00000001
"Type"=dword:00000001

Payload

During the launch process the rootkit driver connects as a filter driver to the following file system devices:

\FileSystem\ntfs
\FileSystem\fastfat
\FileSystem\cdfs

and thus gains control of the file system of the infected computer. The rootkit hides files with the names:

~WTR.tmp, where rnd is a random four-digit number

For example:

~WTR4132.tmp
~WTR4141.tmp

Files with LNK extensions which are 4171 bytes in size are also hidden. The rootkit file is signed with the digital signature of Realtek Semiconductor Corp.

It contains the following string:

b:\myrtus\src\objfre_w2k_x86\i386\guava.pdb

Removal instructions

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

  1. Delete the original rootkit file (the location will depend on how the program originally penetrated the victim machine).
  2. Delete the system registry key:
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxNet]
    
  3. Delete the following file:
    %System%\drivers\mrxnet.sys
  4. Reboot the computer
  5. Update your antivirus databases and perform a full scan of the computer

(Dikutip dari http://www.securelist.com/en/descriptions/15071648/Rootkit.Win32.Stuxnet.b tanpa terjemahan)

%d bloggers like this: