Home / malware Trojan:WinNT/Duqu.A
First posted on 26 October 2011.
Source: SecurityHomeAliases :
Trojan:WinNT/Duqu.A is also known as PWS-Duqu!rootkit (McAfee).
Explanation :
Trojan:WinNT/Duqu.A is a malware component of Win32/Duqu, a trojan that allows unauthorized remote access and control of an affected computer. This trojan component injects payload instructions, detected as Trojan:Win32/Duqu.A, into other processes.
Top
Trojan:WinNT/Duqu.A is a malware component of Win32/Duqu, a trojan that allows unauthorized remote access and control of an affected computer. This trojan component injects payload instructions, detected as Trojan:Win32/Duqu.A, into other processes.
Installation
Trojan:WinNT/Duqu.A may be installed as a device driver named "JmiNET3.sys" or "cmi4432.sys" and loads as a service at each Windows start. Trojan:WinNT/Duqu.A creates the following devices:
- \Device\{3093AAZ3-1092-2929-9391}
- \Device\Gpd1
Payload
Injects malware into other processes Trojan:WinNT/Duqu.A reads encrypted configuration data from specific registry subkeys that contains the following informationThe malware was observed to read data from the following registry subkeys:
- list of target process names, such as "services.exe", used by the trojan to inject malicious code
- path of the payload file used to inject into processes
- HKLM\SYSTEM\CurrentControlSet\Services\JmiNET3\FILTER
- HKLM\SYSTEM\CurrentControlSet\Services\cmi4432\FILTER
The following are examples of file names containing the payload code, detected as Trojan:Win32/Duqu.A:
Additional InformationFor more information about Trojan:Win32/Duqu.A, see the description elsewhere in the encyclopedia.
- %systemroot%\inf\netp191.PNF
- %systemroot%\inf\cmi4432.PNF
Analysis by Shawn WangLast update 26 October 2011
