Wikia

Virus Information

Duqu

Talk0
234pages on
this wiki

The Trojan may arrive as a Microsoft Word document containing an exploit for the Microsoft Windows 'Win32k.sys' TrueType Font Handling Remote Code Execution Vulnerability (BID 50462). Successful exploitation of the vulnerability will enable the Trojan to be dropped and executed on the targeted computer.

When the Trojan is executed, it creates one or more of the following files:

   %System%\drivers\jminet7.sys
   %System%\drivers\cmi4432.sys
   %System%\drivers\nfred95.sys
   %System%\drivers\nred961.sys
   %Windir%\inf\cmi4432.pnf
   %Windir%\inf\cmi4464.PNF
   %Windir%\inf\netp191.PNF


It then creates one or more of the following registry subkeys:

   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\JmiNET3
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmi4432


The Trojan then opens a back door allowing an attacker to gather the following information from the compromised computer:

   A list of running processes, account details, and domain information
   Drive names and other information, including those of shared drives
   Screenshots
   Network information (interfaces, routing tables, shares list, etc)
   Keystrokes
   Open window names
   Enumerated shares
   File exploration on all drives, including removable drives
   Enumeration of computers in the domain through NetServerEnum


The Trojan then sends the information gathered to a predetermined command and control (C&C) server.

It also downloads further malicious files from the C&C server.

Around Wikia's network

Random Wiki