Follow:

 

Trojan:Win32/Duqu.C


Trojan:Win32/Duqu.C is a detection for malicious code that has been injected into running processes, such as "lsass.exe", by Trojan:Win32/Duqu.B. Trojan:Win32/Duqu.C attempts to communicate with a remote server with an IP address 206.183.111.97 to download other code that may be used by the malware to perform other actions and allow unauthorized access of an affected computer.


What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

 

Threat behavior

Trojan:Win32/Duqu.C is a detection for malicious code that has been injected into running processes, such as "lsass.exe", by Trojan:Win32/Duqu.B. Trojan:Win32/Duqu.C attempts to communicate with a remote server with an IP address 206.183.111.97 to download other code that may be used by the malware to perform other actions and allow unauthorized access of an affected computer.
Installation
Trojan:Win32/Duqu.C is injected into running processes, such as "lsass.exe", by Trojan:Win32/Duqu.B.
Payload
Communicates with a remote server
Trojan:Win32/Duqu.C attempts to communicate with a remote server with an IP address 206.183.111.97 to download other code. The malware was observed to download code that could collect details about the affected computer, including:
    • Current process name
    • Name of network domain joined
    • Root drive serial number
    • Remote Desktop Services session ID that the current process is running within
    • User SID that the current process is running as
    • Network adapter description and MAC address
    • DHCP server IP address
    • IP address
    • TCP/UDP connection details
    • IPv4 routing table
    • Screenshots
    • Title and process ID (PID) of visible windows
    • Information about local drives attached
    • Connected network resource and associated user's name
    • Shared resources
    • List of shared files currently opened by a remote computer
    • Obtain the size of specified files
At the time of this writing, the server was unavailable for analysis.
 
 
Analysis by Shawn Wang

Symptoms

Alert notifications or detections of this malware from installed antivirus or security software may be the only other symptoms.

 

Prevention


Alert level: Severe
First detected by definition: 1.115.68.0
Latest detected by definition: 1.115.502.0 and higher
First detected on: Oct 19, 2011
This entry was first published on: Oct 15, 2011
This entry was updated on: Oct 25, 2011

This threat is also detected as:
  • Worm/Win32.Stuxnet (AhnLab)