PWS-Duqu
Posted: October 19, 2011
Threat Metric
The following fields listed on the Threat Meter containing a specific value, are explained in detail below:
Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.
Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.
Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.
Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.
% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.
| Threat Level: | 10/10 |
|---|---|
| Infected PCs: | 47 |
| First Seen: | October 19, 2011 |
|---|---|
| Last Seen: | September 24, 2022 |
| OS(es) Affected: | Windows |
PWS-Duqu is a backdoor Trojan that's based on a previous Stuxnet Trojan that uses similarly-advanced methods to attack and control Windows computers. The criminals behind PWS-Duqu attacks have been observed to focus their attacks on Northern Africa, southeastern Europe, the Middle East and India, and you may be in particular danger of being attacked by PWS-Duqu if you live in any of the above regions. Although SpywareRemove.com malware experts have found that PWS-Duqu can be configured to launch a wide variety of attacks, PWS-Duqu's functions are primarily-focused on delivering spyware programs, such as keyloggers, which can steal passwords and other forms of personal information. Because PWS-Duqu uses sophisticated techniques to avoid detection, using an anti-malware program to find and remove PWS-Duqu is more feasible than trying to find and delete PWS-Duqu by yourself.
PWS-Duqu – a Crippled but Still Deadly Backdoor Trojan
PWS-Duqu's criminal maintainers have achieved a minor measure of infamy by preferring to target regions in the range of the 'golden jackal,' a subtype of jackal that's often found in northern Africa, India and various Middle Eastern countries. In addition, PWS-Duqu's actual code and functions are clearly evolved from the comparatively older Stuxnet relative, although PWS-Duqu does lack some of Stuxnet's features, such as PWS-Duqu's PLC functions. Since detecting PWS-Duqu without a software-based assistance can be very difficult, preventative measures, such as using strict browser security settings, are, as usual, the best defense.
PWS-Duqu, like most backdoor Trojans, can be reconfigured to change PWS-Duqu's attacks to a certain extent, but both PWS-Duqu's encryption file and several other components, including PWS-Duqu's .dll files, are encrypted to conceal their true purposes. Despite this capability, PWS-Duqu's ability to receive commands has been cut off due to the original command server in India being blacklisted. This means that any PC that's attacked by PWS-Duqu will most likely have to withstand PWS-Duqu's default attacks, such as installing keyloggers, until a new PWS-Duqu variant arises.
SpywareRemove.com malware analysts have also observed a second major victory against PWS-Duqu – a recently-occurred revocation of PWS-Duqu's certificates (digital signatures from trustworthy companies that swear to the safety of the relevant software). The clever crooks behind PWS-Duqu issued fake certificates to make it appear as though PWS-Duqu is trustworthy for anyone who bothered to look for PWS-Duqu's certificates, but now that PWS-Duqu's C-Media Electronics Corporation certification has been clearly revoked, PWS-Duqu has one less disguise to use to hide PWS-Duqu's attacks. In addition, not all variants of PWS-Duqu have this certification; one observed PWS-Duqu variant has been seen without any form of certification at all.
An Analysis of PWS-Duqu's Hidden Hostility
In addition to PWS-Duqu's other methods of concealment, PWS-Duqu will hide the majority of PWS-Duqu's components in encrypted .dll files and drivers that appear to be parts of your normal operating system. Different variants of PWS-Duqu can also be detected as Troj/Bdoor-BDA, PWS-Duqu.dr and PWS-Duqu!rootkit, and as the latter implies, many PWS-Duqu variants do have the ability to launch themselves even in Safe Mode via rootkit-based exploits.
Attacks from PWS-Duqu can consist of, but aren't limited to:
- The installation of spyware, such as keyloggers that monitor keyboard keystrokes, take screenshots or even record microphone or webcam input. PWS-Duqu may attempt to steal passwords, identification credentials or banking information.
- Reduced security due to blocked software and alterations to your security settings. Your firewall may be riddled with exceptions, your network ports may be left open, and programs like Task Manager, MSConfig or anti-virus scanners may crash or fail to launch.
- Total loss of control over your PC. PWS-Duqu may be used to create a backdoor access to your computer that allows remote criminals to force your PC to engage in DDoS crimes, spambotting and other forms of illegal behavior that use up your system resources without your permission.
Since SpywareRemove.com malware researchers have observed that some versions of PWS-Duqu include rootkit features, you should always use a suitable and up-to-date anti-malware program to remove a PWS-Duqu infection; visible symptoms of PWS-Duqu's activities may be minimal or even nonexistent.
PWS-Duqu, or Duqu, hides its actions by appearing to be a normal website. Behind the scenes Duqu actually connects to the server identified as canoyraqomez.rapidns.com (IP: 206.183.111.97) which is based out of India. From there, Duqu sends a http request and the server responds with a blank JPG image sending back the file dsc00001.jpg with embedded stolen data. The actual JPG file, if accessed, will open nothing more than a JPG image looking like a picture of a galaxy. Duqu has a perplexing nature and the JPG image used to transmit pilfered data is quite a mystery which is why you should take actions to remove Duqu as soon as possible.
Technical Details
File System Modifications
Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.
The following files were created in the system:%Program Files%\Protection Center\protext.dll
File name: %Program Files%\Protection Center\protext.dllFile type: Dynamic link library
Mime Type: unknown/dll
Group: Malware file
%Documents and Settings%\[UserName]\Start Menu\ Update.lnk
File name: %Documents and Settings%\[UserName]\Start Menu\ Update.lnkFile type: Shortcut
Mime Type: unknown/lnk
Group: Malware file
%Windows%\system32\Drivers\jminet7.sys
File name: %Windows%\system32\Drivers\jminet7.sysFile type: System file
Mime Type: unknown/sys
Group: Malware file
%SystemDrive%\inf\netp191.pnf
File name: %SystemDrive%\inf\netp191.pnfMime Type: unknown/pnf
Group: Malware file
%SystemDrive%\inf\netp192.pnf
File name: %SystemDrive%\inf\netp192.pnfMime Type: unknown/pnf
Group: Malware file
%UserProfile%\Start Menu\Programs\PWS-Duqu\
File name: %UserProfile%\Start Menu\Programs\PWS-Duqu\Group: Malware file
%UserProfile%\Start Menu\Programs\PWS-Duqu\Uninstall PWS-Duqu.lnk
File name: %UserProfile%\Start Menu\Programs\PWS-Duqu\Uninstall PWS-Duqu.lnkFile type: Shortcut
Mime Type: unknown/lnk
Group: Malware file
%UserProfile%\Start Menu\Programs\PWS-Duqu\PWS-Duqu.lnk
File name: %UserProfile%\Start Menu\Programs\PWS-Duqu\PWS-Duqu.lnkFile type: Shortcut
Mime Type: unknown/lnk
Group: Malware file
Registry Modifications
HKEY..\..\..\..{Subkeys}HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\ XTray.exeHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce 'SelfdelNT'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 'tmp'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run '[random string]'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\JmiNET3
OMGOMGOMG I saw many guides sniyag open gpedit.msc and my os is Windows 7 Home Premium well those doesn't work as I didn't have gpedit.msc in my com so I tried this .Now I know that the inf file is to enable regedit for 3 seconds only so as soon as you clicked install quickly click that registry fix from the second link .And wala!!!! Task manager and others enabled!!!!^^