Follow:

 

Trojan:WinNT/Stuxnet.A


Microsoft security software detects and removes this threat.
 
This threat injects code into security processes on your PC.
 
It is installed by TrojanDropper:Win32/Stuxnet.A.


What to do now

The following free Microsoft software detects and removes this threat:

Even if we've already detected and removed this particular threat, running a full scan might find other malware that is hiding on your PC.

You can also visit the Microsoft virus and malware community for more help.

Threat behavior

Installation
Trojan:WinNT/Stuxnet.A might be present as the following file:
The trojan component runs as a hidden service named "MRXCLS" by using a registry modification, for example:
 
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\MRxCls
 
Sets value: "Description"
With data: "MRXCLS"
 
Sets value: "DisplayName"
With data: "MRXCLS"
 
Sets value: "ErrorControl"
With data: "0"
 
Sets value: "Group"
With data: "Network"
 
Sets value: "ImagePath"
With data: "\??\%windir%\system32\Drivers\mrxcls.sys"
 
Sets value: "Start"
With data: "1"
 
Sets value: "Type"
With data: "1"
 
Sets value: "Data"
With data: "<hexadecimal values>"
Payload
Injects code
 
Trojan:WinNT/Stuxnet.A is capable of injecting malicious code into the running process "LSASS.EXE" based on data written in the registry or from other TrojanDropper:Win32/Stuxnet.A components, such as:
Analysis by Francis Allan Tan Seng

Symptoms

System changes
The following system changes may indicate the presence of this malware:
 
  • The presence of the following files:
     
    <system folder>\mrxcls.sys
  • The presence of the following registry keys:

    HKLM\SYSTEM\CurrentControlSet\Services\MRxCls

Prevention


Alert level: Severe
First detected by definition: 1.85.1626.0
Latest detected by definition: 1.173.2181.0 and higher
First detected on: Jul 07, 2010
This entry was first published on: Jul 14, 2010
This entry was updated on: Dec 23, 2013

This threat is also detected as:
  • Win32/PcClient.ACH (CA)