Detected Jul 12 2010 07:57 GMT
Released Jul 12 2010 16:22 GMT
Published Sep 20 2010 12:28 GMT
This rootkit is designed to conceal malicious program files. It is an NT kernel mode driver. It is 17400 bytes in size.
The rootkit copies its executable file as:
To ensure that it is launched automatically when the system is rebooted, the rootkit creates the following service registry key:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxNet] "Description"="MRXCLS" "DisplayName"="MRXNET" "ErrorControl"=dword:00000000 "Group"="Network" "ImagePath"="\\??\\%System%\Drivers\\mrxnet.sys" "Start"=dword:00000001 "Type"=dword:00000001
During the launch process the rootkit driver connects as a filter driver to the following file system devices:
\FileSystem\ntfs \FileSystem\fastfat \FileSystem\cdfs
and thus gains control of the file system of the infected computer. The rootkit hides files with the names:
~WTR.tmp, where rnd is a random four-digit number
Files with LNK extensions which are 4171 bytes in size are also hidden. The rootkit file is signed with the digital signature of Realtek Semiconductor Corp.
It contains the following string:
If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:
- Delete the original rootkit file (the location will depend on how the program originally penetrated the victim machine).
- Delete the system registry key:
- Delete the following file:
- Reboot the computer
- Update your antivirus databases and perform a full scan of the computer
(Dikutip dari http://www.securelist.com/en/descriptions/15071648/Rootkit.Win32.Stuxnet.b tanpa terjemahan)