Analysis by: Karl Dominguez

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted: Yes

  • In the wild: Yes

  OVERVIEW

This Trojan arrives as a dropped file of another malware. It also arrives with certain files.

This Trojan is registered as a service that enables it to automatically execute during startup.

This Trojan may be dropped by other malware. It arrives as a component bundled with malware/grayware packages.

  TECHNICAL DETAILS

File Size: Varies
File Type: SYS
Memory Resident: Yes
Initial Samples Received Date: 19 Oct 2011

Arrival Details

This Trojan may be dropped by other malware.

It arrives as a component bundled with malware/grayware packages.

NOTES:

It arrives as a dropped file of another malware as any of the following:

  • %System%\Drivers\cmi4432.sys
  • %System%\Drivers\jminet7.sys

It also arrives with the following files:

  • %Windows%\inf\cmi4432.pnf - TROJ_DUQU.ENC
  • %Windows%\inf\cmi4464.pnf - TROJ_DUQU.CFG
  • %Windows%\inf\netp191.pnf - TROJ_DUQU.ENC
  • %Windows%\inf\netp192.pnf - TROJ_DUQU.CFG

This Trojan is registered as a service that enables it to automatically execute during startup:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\JmiNET3
Description = JmiNET3
DisplayName = JmiNET3
ErrorControl = 0
Group = Network
ImagePath = \\??\\C:\\WINDOWS\\system32\\Drivers\\jminet7.sys
Start = 1
Type = 1
FILTER = {hex values}

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmi4432
Description = cmi4432
DisplayName = cmi4432
ErrorControl = 0
Group = Network
ImagePath = \\??\\C:\\WINDOWS\\system32\\Drivers\\cmi4432.sys
Start = 1
Type = 1
FILTER = {hex values}

The "FILTER" registry entry contains encrypted data that RTKT_DUQU.SME decrypts to get the path of TROJ_DUQU.ENC and a process name where it will be injected. Decrypting TROJ_DUQU.ENC results into a DLL file that is injected in the process specified in the registry. The decrypted DLL is detected by Trend Micro as TROJ_DUQU.DEC.

  SOLUTION

Minimum Scan Engine: 9.200
FIRST VSAPI PATTERN FILE: 8.508.05
FIRST VSAPI PATTERN DATE: 19 Oct 2011

Step 1

For Windows XP and Windows Server 2003 users, before doing any scans, please make sure you disable System Restore to allow full scanning of your computer.

Step 2

Remove malware files dropped/downloaded by RTKT_DUQU.SME

    • TROJ_DUQU.CFG
    • TROJ_DUQU.ENC
    • TROJ_DUQU.DEC

Step 3

Restart in Safe Mode

[ Learn More ]

Step 4

Delete this registry key

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
    • JmiNET3
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
    • cmi4432

Step 5

Restart in normal mode and scan your computer with your Trend Micro product for files detected as RTKT_DUQU.SME. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.


Did this description help? Tell us how we did.