Threat Descriptons



Category :


Type :


Aliases :

Trojan-Dropper:W32/Stuxnet, Rootkit:W32/Stuxnet, Trojan-Dropper.Win32.Stuxnet.a, Trojan.Agent.AQCK


Trojan-Dropper:W32/Stuxnet automatically executes itself and drops files onto the system by exploiting a vulnerability in various Windows versions (CVE-2010-2568) that allows malicious code to run when a specially crafted shortcut icon is displayed. This malware appears to be targeted to businesses using Siemens >SIMATIC WinCC database applications, as its payload involves data theft from these resources.


  • Delete the following Registry Keys:
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxCls
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxNet
  • Delete the following files:
    • %windir%\inf\mdmcpq3.PNF
    • %windir%\inf\mdmeric3.PNF
    • %windir%\inf\oem6C.PNF
    • %windir%\inf\oem7A.PNF
    • %windir%\system32\drivers\mrxcls.sys
    • %windir%\system32\drivers\mrxnet.sys
  • Turn-off AutoPlay on all drives (for more details, see
  • Reboot the system.
  • Clean the malware components from the infected USB thumb drive:
    • Open Command Prompt
    • Change drive to USB drive
    • Run command "del *.lnk"
    • Run command "del *.tmp"

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

This malware is further discussed in the following Labs weblog posts:

For more information, please also refer to Microsoft Security Advisory 2286198.


Stuxnet shares similarities with an Autorun worm, as it usually arrives via an infected USB thumb drive or other removable media, and once on an infected computer, will save copies of itself on other removable media for propagation to new victim machines. However, instead of exploiting a vulnerability to forcibly execute an autorun.inf file, Stuxnet takes advantage of a vulnerability in parsing shortcut (.LNK) files in order to execute a malicious Control Panel module.

An attacker can subvert this operation with a specially crafted .LNK file, which is pointed to a specially crafted Control Panel module (in reality, the malware). When the system attempts to resolve the shortcut file's icon, the vulnerability is triggered and the Control Panel module is automatically executed. The user does not need to click on the icon in order for the malware to be executed.

In order to work with this exploit, the malicious shortcut file has to be formatted as a valid Control Panel shortcut, while the trojan-dropper component itself must be formatted to be a valid Control Panel module.

The exploit may also be embedded in document files that support embedded shortcuts (see LNK Vulnerability: Embedded Shortcuts in Documents). We detect the exploit as Exploit:W32/WormLink.


On execution, the malware drops the following files onto the system:

  • 2 files ( mrxcls.sys and mrxnet.sys) - Dropped in C:\Windows\System32\Drivers folder
  • C:\Windows\inf\oem7a.PNF - An encrypted DLL file, the trojan-dropper's main component
  • C:\Windows\inf\mdmcpq3.PNF - An encrypted data file
  • C:\Windows\inf\mdmeric3.PNF
  • C:\Windows\inf\oem6c.PNF

An alert user may recognize the presence of a Stuxnet infection if the following items are present (which is helpful if the infected machine has no antivirus product installed):

  • The 2 dropped files, mrxcls.sys and mrxnet.sys, are found in C:\Windows\System32\Drivers folder
  • The registry keys associated with the 2 dropped drivers are visible:
    • HKLM\System\CurrentControlSet\Services\Services\MRxNet
    • HKLM\System\CurrentControlSet\Services\Services\MRxCls


The encrypted DLL file contained in the dropped oem7a.PNF file is injected into a process, using the following name structure:

  • [normaldll].ASLR.[random] - e.g., Kernel32.dll.aslr.21af34

The injection is performed by the mrxcls.sys file, which is responsible for attaching and copying the DLL into the target process. The rest of the injection routine is carried out by 2 additional components embedded in the mrxcls.sys file, which are also loaded into the same process space.

Mrxcls.sys also injects code to these processes:

  • services.exe
  • svchost.exe
  • lsass.exe


The file mrxnet.sys checks for files on the system with the following extensions:

  • .TMP
  • ~WTR
  • .LNK

If a match is found, the files are hidden by modifying the FileInfo structure.Meanwhile, the DLL attempts to connect to any available Siemens >SIMATIC WinCC applications using hard-coded administrative username/password credentials. If successfully connected, it attempts to locates the file \GraCS\cc_tlg7.sav in all database names that starts with CC. If the file is found, the DLL then extracts it as cc_tlg7.savx.

The DLL also connects to domains which are listed in the encrypted mdmcpq3.PNF file.If the targeted files are not found on the infected system, Stuxnet will save copies of itself as TMP files onto an available removable drive, using the following filenames:

  • ~WTR4132.tmp - Main installer from the USB drive
  • ~WTR4141.tmp - First driver loader in the USB drive

The following files are also dropped to the removable drive:

  • Copy of Shortcut to.lnk
  • Copy of Copy of Shortcut to.lnk
  • Copy of Copy of Copy of Shortcut to.lnk
  • Copy of Copy of Copy of Copy of Shortcut to.lnk

These shortcuts are responsible for loading the ~WTR4141.tmp file whenever the infected removable drive is plugged into a new system; the ~WTR4141.tmp file in turn loads the ~WTR4132.tmp file.


The file ~WTR4141.tmp hooks the following APIs to hide the malware files in the removable drive:

  • FindFirstFileW
  • FindNextFileW
  • FindFirstFileExW
  • NtQueryDirectoryFile
  • ZwQueryDirectoryFile
More Support


Ask questions in our Community .

User Guides

Check the user guide for instructions.

Contact Support

Chat with or call an expert.

Submit a Sample

Submit a file or URL for analysis.