Mal/Duqu-A

Category: Viruses and SpywareProtection available since:21 Oct 2011 18:59:01 (GMT)
Type: Malicious behaviorLast Updated:17 Jan 2012 23:14:04 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Mal/Duqu-A is a Trojan for the Windows platform.

Mal/Duqu-A detects the main driver component of a Duqu infection.

Mal/Duqu-A requires an external component to have registered the driver as a service.

On startup, Mal/Duqu-A reads the FILTER registry sub-key of its service registry entry, which contains encrypted configuration data created by the external component.

The decrypted contents of the FILTER registry key contain the path to an encrypted DLL, detected as Troj/DuquCn-B, as well as the decryption key to decrypt the DLL, detected as Troj/Duqu-B.

Mal/Duqu-A filenames used include:

  %SYSTEM%\drivers\jminet7.sys

  %SYSTEM%\drivers\cmi4432.sys

  %SYSTEM%\drivers\nfrd965.sys

  %SYSTEM%\drivers\adpu321.sys

The encrypted components used by Mal/Duqu-A are stored in %WINDOWS%\inf\*.pnf files, including "netp192.pnf" and "cmi4464.pnf".

Examples of Mal/Duqu-A include:

Example 1

File Information

Size
50K
SHA-1
21c3dbecd561c490ee7710a8ef8a971d25708a87
MD5
ebcfcb678bb6240297a27802f037d727
CRC-32
2e30418c
File type
application/x-ms-dos-executable
First seen
2011-11-29

Other vendor detection

Kaspersky
Trojan.Win32.Duqu.a

Example 2

File Information

Size
29K
SHA-1
588476196941262b93257fd89dd650ae97736d4d
MD5
4541e850a228eb69fd0f0e924624b245
CRC-32
a203c94a
File type
application/x-ms-dos-executable
First seen
2011-10-15

Other vendor detection

Kaspersky
Trojan.Win32.Duqu.a

Example 3

File Information

Size
25K
SHA-1
820b09a0295da73527f124250937f52b790a25a7
MD5
bdb562994724a35a1ec5b9e85b8e054f
CRC-32
4178d12c
File type
application/x-ms-dos-executable
First seen
2011-10-21

Other vendor detection

Kaspersky
Trojan.Win32.Duqu.a