Duqu virus . Parts of Duqu are almost identical to the Stuxnet, but with a totally different objective, the purpose of Duqu is to collect intelligence information, in other words, Duqu is not designed to attack industrial systems, as happened with Stuxnet, but to gather intelligence information. With a view to a future attack, Duqu used a “puzzle” of components including a Symantec digital certificate.
Summary
[ hide ]
- 1 Discovery
- 2 Creators
- 3 How it works
- 4 How to avoid it
- 5 Victims
- 6 How to remove
- 7 Sources
Discovery
The threat was written by the same authors (or those who have access to the Stuxnet source code) and it seems that it was created since the last Stuxnet file was recovered “,” A laboratory with strong international connections alerted about a sample that is very similar to the Stuxnet. They called it the ‘Duqu’ threat because it creates files with the prefix ‘~ DQ’. The lab provided samples they retrieved from computer systems located in Europe, as well as a detailed report with their initial findings, including a comparative analysis with Stuxnet. The creators of Stuxnet are still unknown, but some voices have directed their suspicions at the governments of Israel and the United States. Unlike Stuxnet,
Creators
This is not the work of a hobbyist, it is using cutting edge technology and that generally means it has been created by someone who has a purpose in mind. If it is the author of Stuxnet, (Duqu) could have the same goal. But if the code has been given to someone else, it may be for another reason. According to the Symantec official , there is “more than one variant” of Duqu. Malicious code removes itself from the computers it infects after 36 hours, indicating that it remains more hidden than its predecessor.
How does it work
Upon entering computers, Duq opens a back door for attackers to enter the computer to do their thing. What’s more, cybercriminals have control centers to access infected computers, and no matter how much one is identified and destroyed, several more appear every minute.
How to avoid it
- Keep your Windows and Office up-to-date through Windows Update
- Update your antivirus software and have good antimalware handy. Run them to do a complete review of your system.
- If you receive a suspicious email, with a Word file attached, delete it immediately, as the chances of it being infected are high.
Victims
Computers infected by the DuQu malware meet at least one of the following conditions:
- There is the key HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ JmiNET3
- There is the key HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ Cmi4432
- There is the key HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ nfrd965
- Numbered list item
Inside the c: \ windows \ inf folder (actually% systemroot% \ inf) there are some of the files:
- PNF
- PNF
- PNF
- PNF
Inside the folder c: \ windows \ system32 \ drivers (actually% systemroot% \ system32 \ drivers) there are some of the files
- sys
- sys
- sys
How to eliminate
Duqu_Removal_Tool.zip a free and fully automated tool. Just download it and run it on your system, restart your PC if the infection is found. Here is a complete list of the steps you need to take:
- Download the Duqu_Removal_Tool.zip (. Zip), double-click on it, choose “Extract all files…” from the File menu, and follow the wizard’s instructions. You can use any other unzipping utility, like WinZip.
- Navigate to the folder that the tool extracted, find the file named Duqu_Removal_tool.exe and double-click on it. Press the Scan button and let the removal tool scan your PC.
- If you have Windows Vista with User Account Control enabled, or if you are running as a restricted user in Windows XP, right-click on the Duqu_Removal_tool.exe program and select “Run as Administrator.” You will be asked to enter your credentials for an administrator account.
- Press the OK button when the removal tool asks to restart the computer.
- Ready, you have your PC cleaned of Rootkit, preventing the operation of Duqu.
