$ 11.99|https://store.pandasecurity.com/300/purl-vpn?currencies=USS&x-track=55499&cart=iA001PVPNS05&language=en&quantity=1&enablecoupon=false&coupon=1STMOFFPD&x-coupon=1STMOFFPD&x-market=usa&x-track=190478|$ 0.00|$;PREFIX;.;,;11;99;0;00

Get 50% discount! Discover the plan that suits you best!

See offer

Get 50% discount! Discover the plan that suits you best!

See offer

Renew and get 50% off*

Only available for 48 hours!


*For home users only

Renew at a discount

Renew and get 50% off*

*Home users only

*For home users only Renew and get 50% off*


Special offer: Renew and get 50% off**

Only available for 48 hours!


*For home users only

Renew at a discount

*For home users only Special offer: Renew and get 50% off*



You’re about to visit our web page in English
Would you like to continue?

Yes, I want to visit the web page in English No, I want to visit the web page in

If this is not what you’re looking for,

Visit our Welcome Page!

Call us 24/7 and get a free diagnosis 951 203 528

Active Scan. Scan your PC free

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.


Threat LevelLow threatDamageHighDistributionNot widespread


The aim of Stuxnet.A is to carry out a targeted attack to companies with SCADA (see Note) systems which use WINCC of Siemens, in order to steal information.

In order to be installed in the computer, it uses the vulnerability MS10-046 (CVE-2010-2568). It is a Windows vulnerability that affects shortcuts and which allows remote code execution.

Stuxnet.A carries out the following actions:

  • The infection starts with several shortcuts specially designed to exploit the vulnerability and which are located in an infected USB key.
  • The malicious shortcuts are the following:
    Copy of Copy of Copy of Copy of Shortcut to.lnk
    Copy of Copy of Copy of Shortcut to.lnk
    Copy of Copy of Shortcut to.lnk
    Copy of Shortcut to.lnk
  • If the computer is vulnerable, the library ~WTR4141.TMP is automatically downloaded and run without clicking on the shortcut, as this vulnerability allows remote code execution.
  • This library loads and runs another library, called ~WTR4132.TMP, which drops several rootkits to the computer. These rootkits allow the worm to be hidden, making its detection more difficult.


Microsoft has already released the security patch that solves this vulnerability. If you have a Windows 2008/7/Vista/2003/XP computer, it is recommended to download and apply the security patch for this vulnerability. Access the web page for downloading the patch.


Note: SCADA stands for supervisory control and data acquisition. It generally refers to an industrial control system: a computer system monitoring and controlling a process.

Infection strategy 

Stuxnet.A creates the following files:

  • MRXCLS.SYS and MRXNET.SYS, in the folder drivers of the Windows system directory. These files belong to the malware detected as Rootkit/TmpHider. These files have the digital signatures of certain companies, which have been supposedly stolen from them. The aim is to pass themselves as legitimate files.
  • MDMCPQ3.PNF, MDMERIC3.PNF, OEM6C.PNF and OEM7A.PNF, in the folder Inf of the Windows directory. The files with a PNF extension are files with encrypted data.


Stuxnet.A creates the following entries in the Windows Registry:

  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXCLS\0000\Control
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXNET\0000\Control
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MRxCls
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MRxCls\Enum
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MRxNet
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MRxNet\Enum
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXCLS\0000\Control
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXNET\0000\Control
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxCls
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxCls\Enum
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxNet
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxNet\Enum
    By creating these entries, the rootkits register themselves as a service and can be run whenever the computer is started. Additionally, they are injected into LSASS.EXE, SERVICES.EXE, EXPLORER.EXE y SVCHOST.EXE processes, so that they cannot be viewed.

Means of transmission 

Stuxnet.A spreads through removable devices, like USB keys, making copies of the malicious shortcuts to the USB keys that are connected to an infected computer. These shortcuts use the vulnerability called MS10-046 (CVE-2010-2568), which affects files with a LNK extension.

Further Details  

Stuxnet.A is 8,192 bytes in size.

Stuxnet.A creates several random mutexes, in order to ensure that only a copy of the worm is active at any moment.


powered by Anytech365