/
Security Response/
W32.Duqu

W32.Duqu

Risk Level 1: Very Low

Printer Friendly Page|Rate this page

Discovered:: October 18, 2011
Updated:: October 19, 2011 10:25:53 AM
Also Known As:: TROJ_SHADOW.AF [Trend], TROJ_DUQU.ENC [Trend], TROJ_DUQU.DEC [Trend], Mal/Duqu-A [Sophos], RTKT_DUQU.A [Trend]
Type:: Trojan
Systems Affected:: Windows 2000, Windows 7, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Server 2008, Windows Vista, Windows XP
CVE References:: 2639417, CVE-2011-3402, MS11-087

W32.Duqu is a Trojan that opens a back door and downloads more files on to the compromised computer. It also has rootkit functionality and may steal information from the compromised computer.

The Trojan may arrive as a Microsoft Word document containing an exploit for the Microsoft Windows 'Win32k.sys' TrueType Font Handling Remote Code Execution Vulnerability (BID 50462). Successful exploitation of the vulnerability will enable the Trojan to be dropped and executed on the targeted computer.

Initial analysis of this threat has shown that it is closely related to the W32.Stuxnet worm from 2010. More information about W32.Duqu and W32.Stuxnet can be found in the following resources:

W32.Duqu: The precursor to the next Stuxnet
Blogs entries on W32.Stuxnet
W32.Stuxnet Dossier (Whitepaper - September, 2010)

Note: Virus definitions dated October 18, 2011 or earlier detect this threat as Trojan Horse.

Antivirus Protection Dates

Initial Rapid Release version October 27, 2011 revision 051
Latest Rapid Release version February 19, 2013 revision 016
Initial Daily Certified version October 28, 2011 revision 002
Latest Daily Certified version March 19, 2012 revision 018
Initial Weekly Certified release date October 19, 2011

Click for a more detailed description of Rapid Release and Daily Certified virus definitions.

Threat Assessment

Wild

Wild Level: Low
Number of Infections: 0 - 49
Number of Sites: 0 - 2
Geographical Distribution: Low
Threat Containment: Easy
Removal: Easy

Damage

Damage Level: Medium
Payload: Opens a back door and downloads files.
Releases Confidential Info: May steal information from the compromised computer.

Distribution

Distribution Level: Low

Writeup By: Poul Jensen

Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm

STAR Antimalware Protection Technologies

Internet Security Threat Report, Volume 17

Symantec [+]
Norton [+]
- AntiVirus|
- Norton Store|
- Internet Security|
- Mac AntiVirus|
- Mobile Security|
- Norton|
- Spyware|
- Virus Protection|
- Virus Removal|
- Virus Scan
Website Security Solutions [+]
PC Tools [+]

PRODUCTS & SERVICES

POPULAR PRODUCTS

SOLUTIONS

HOW TO BUY

RESOURCES

COMMUNITIES: SYMANTEC CONNECT

Trust the Leader

Symantec SSL Certificates

PRODUCT SUPPORT

PRODUCT SUPPORT FOR ACQUIRED COMPANIES

LICENSING & ACCOUNT MANAGEMENT ASSISTANCE

BUSINESS SUPPORT RESOURCES

COMMUNITIES: SYMANTEC CONNECT

NORTON COMMUNITY

SOCIAL MEDIA

Information Unleashed

The Official Voice of Symantec

STAY SECURE

Updates

Repair

BE INFORMED

24/7 Reporting

Security Technology and Response

PUBLICATIONS

CONTACT US ABOUT

2013 Internet Security Threat Report

Symantec data and analysis on the threat landscape.

TRIALWARE

All Business Trialware

BUY ONLINE

Website Security Solutions

Shop All Business

SHOP NORTON

Most Popular

New Products

My Norton Product

See all Norton offerings

Endpoint Protection Small Business Edition 2013

Buy 3 years and save up to 33% off MSRP.