Stuxnet Worm Detection
Critical Nessus Plugin ID 49270
SynopsisThe remote Windows host has been infected with the Stuxnet worm.
DescriptionThe remote Windows host has files present on the system that indicate the Stuxnet worm has infected the system. This worm attempts to spread in several ways, making use of known Windows vulnerabilities and removable media. It has been seen making use of several 0-day vulnerabilities as well as attacking Siemens SCADA systems.
This plugin looks for files present on Windows systems that are generated upon infection. The Stuxnet executable uses hard-coded file names, and generates several files, such as malicious drivers that are loaded by the system. The presence of these files is indicative of a system that has been infected through one of the multiple vectors Stuxnet attempts to use.
SolutionUpdate the host's antivirus software, clean the host, and scan again to ensure its removal. If symptoms persist, re-installation of the infected host is recommended.