The Trojan may arrive as the following file:
When the Trojan is executed, it may create the following file:
%UserProfile%\Local Settings\Temp\[RANDOM CHARACTERS]\Stuxnet Cleaner.bat
Next, the Trojan modifies the following registry entries in order to alter file associations so that certain file types cannot be opened:
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe\"(Default)" = "WMAFile"
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.mp3\"(Default)" = "VBSFile"
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.jpg\"(Default)" = "THEMEFile"
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.bmp\"(Default)" = "THEMEFile"
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.gif\"(Default)" = "THEMEFile"
The Trojan may then end the following tasks:
Next, the Trojan then deletes all files and folders on the C drive.
It then restarts the computer.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":