Microsoft Investigating Windows Security Zero-Day Targeted by Trojan
Cybersecurity
SHARE
Facebook X Pinterest WhatsApp

Microsoft Investigating Windows Security Zero-Day Targeted by Trojan

Written By
Brian Prince
Brian Prince
Jul 16, 2010
2 minute read
eWeek content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

Microsoft is investigating reports of a Windows security vulnerability being exploited by a Trojan some say is targeting industrial companies.

The malware exploits a vulnerability in Windows’ handling of “lnk” shortcut files. According to VirusBlokAda (PDF), a security vendor based in Belarus, the Trojan propagates through USB devices and uses rootkit functionality to hide itself. Unlike other USB malware, however, just opening up an infected USB device with Windows Explorer or another file manager that can display icons is enough to infect a system, the firm found.

“[The] malware installs two drivers: mrxnet.sys and mrxcls.sys,” according to the company’s advisory. “They are used to inject code into systems processes and hide [the] malware itself. That’s the reason why you can’t see malware files on the infected USB storage device.”

According to an analysis by Sophos, the rootkit is able to load undetected into the system because it is digitally signed by RealTek Semiconductors, a legitimate hardware vendor. The rootkit, once loaded, disguises the malicious files on the USB device, making further investigation difficult, Sophos said.

“At this point the only mitigation is to not view USB disks in Windows Explorer,” said Chet Wisniewski, senior security adviser at Sophos. “The attack is not widespread at all as it was a very targeted attack. The real problem is that now that it is known, any random cyber-criminal can start to use it. That’s what makes this a much bigger problem. Hopefully, Microsoft will have some good news and official mitigation steps today.”

Independent security researcher Frank Boldewin uncovered requests by the malware to a Siemens SCADA WinCC + S7 database, indicating the Trojan may be meant for industrial espionage. The Siemens SCADA system is widely used by utility companies.

Malware spreading via USB devices is not new. In fact, two of the top five malware threats observed by McAfee during the first of the year were worms infecting users with AutoRun enabled.

“When we have completed our investigations, we will take appropriate action to protect users and the Internet ecosystem,” said Jerry Bryant, group manager of Response Communications at Microsoft, in a statement to eWEEK.
Brian Prince
eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

facebook
linkedin
youtube
rss
x

Company

About us Contact us Advertise with us

Categories

Latest News Resources Artificial Intelligence Video Big Data & Analytics Cloud Networking

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

Terms of Service Privacy Policy California - Do Not Sell My Information