System changes
The following system changes may indicate the presence of this malware:
-
The presence of the following files:
<system folder>\mrxcls.sys
-
The presence of the following registry keys:
HKLM\SYSTEM\CurrentControlSet\Services\MRxCls
Installation
Trojan:WinNT/Stuxnet.A may be present as the following file:
<system folder>\Drivers\mrxcls.sys
Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
The trojan component runs as a hidden service named "MRXCLS" via a registry modification as in the following example:
Sets value: "Description"
With data: "MRXCLS"
Sets value: "DisplayName"
With data: "MRXCLS"
Sets value: "ErrorControl"
With data: "0"
Sets value: "Group"
With data: "Network"
Sets value: "ImagePath"
With data: "\??\%windir%\system32\Drivers\mrxcls.sys"
Sets value: "Start"
With data: "1"
Sets value: "Type"
With data: "1"
Sets value: "Data"
With data: "<hexadecimal values>"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\MRxCls
Payload
Injects code
Trojan:WinNT/Stuxnet.A is capable of injecting malicious code into the running process "LSASS.EXE" based on data written in the registry or from other TrojanDropper:Win32/Stuxnet.A components such as the following:
%windir%\inf\mdmcpq3.pnf
%windir%\inf\mdmeric3.pnf
%windir%\inf\oem6c.pnf
%windir%\inf\oem7a.pnf
Analysis by Francis Allan Tan Seng
