{
	"id": "df384aae-1bdb-45bf-99fd-45f9b21fbf9e",
	"created_at": "2026-04-06T00:21:04.986736Z",
	"updated_at": "2026-04-10T03:20:48.683213Z",
	"deleted_at": null,
	"sha1_hash": "a6ab839505050a2f5a2cce4a2b7bb7e70bb37499",
	"title": "Primary Stuxnet Advisory | CISA",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 47081,
	"plain_text": "Primary Stuxnet Advisory | CISA\r\nPublished: 2018-09-06 · Archived: 2026-04-02 12:36:20 UTC\r\nOVERVIEW\r\nICS-CERT has been actively investigating and reporting on the Stuxnet vulnerability. To date, ICS-CERT has\r\nreleased ICSA-10-201-01 - Malware Targeting Siemens Control Software (including Updates B \u0026 C) and ICSA-10-238-01 - Stuxnet Mitigations (including Update B).\r\nStuxnet uses four zero-day exploits (two of which have been patched) and takes advantage of a vulnerability also\r\nexploited by Conficker, which has been documented in Microsoft Security Bulletin MS-08-067.Microsoft Security\r\nBulletin, http://www.microsoft.com/technet/security/bulletin/ms08-067.mspx, website last accessed September 28,\r\n2010. The known methods of propagation include infected USB devices, network shares, STEP 7 Project files,\r\nWinCC database files, and the print spooler vulnerability addressed by MS-10-061.Microsoft Security Bulletin,\r\nhttp://www.microsoft.com/technet/security/bulletin/ms10-061.mspx, website last accessed September 28, 2010.\r\nThe malware can be updated through a command and control infrastructure as well as peer-to-peer communication\r\nusing the Remote Procedure Call (RPC) protocol.\r\nThe malware also interacts with Siemens SIMATIC WinCC or SIMATIC STEP 7 software. Exact software\r\nversions and configurations that may be affected are still being analyzed jointly by ICS-CERT and Siemens. We\r\nhave listed the following indicators for use in detecting this malware.\r\nPRIMARY MALWARE INDICATORS\r\nINDICATOR LIST OVERVIEW\r\nThe following indicator list was developed by ICS-CERT and will be useful in detecting malicious files in systems\r\ninfected with Stuxnet. Tests were performed on two systems. One system was a new installation of Windows XP\r\nSP3 that was subsequently infected with Stuxnet. The other machine was the same Windows configuration but\r\nalso included Siemens WinCC and STEP 7 software installations. Based on these tests, ICS-CERT has determined\r\nthat these indicators fall into two groups. Some indicators appear on systems whether or not they have Siemens\r\nWinCC/STEP 7 installed, and the others only appear on systems with WinCC/STEP 7 installed.\r\nINFECTED MACHINES WITH/WITHOUT WINCC/STEP 7 INSTALLED\r\nFilename and Path Hash\r\nWINDOWS\\inf\\mdmeric3.PNF b834ebeb777ea07fb6aab6bf35cdf07f\r\nWINDOWS\\inf\\oem6C.PNF Hash may vary\r\nhttps://us-cert.cisa.gov/ics/advisories/ICSA-10-272-01\r\nPage 1 of 3\n\nWINDOWS\\inf\\oem7A.PNF ad19fbaa55e8ad585a97bbcddcde59d4\r\nWINDOWS\\inf\\mdmcpq3.PNF Hash may vary\r\nWINDOWS\\system32\\drivers\\mrxcls.sys f8153747bae8b4ae48837ee17172151e\r\nWINDOWS\\system32\\drivers\\mrxnet.sys cc1db5360109de3b857654297d262ca1\r\nINFECTED MACHINES WITH WINCC/STEP 7 INSTALLED\r\nFilename and Path Hash\r\nWINDOWS\\system32\\s7otbxdx.dll (malicious file has the\r\nsame name as the original legitimate STEP 7 file)\r\n7a4e2d2638a454442efb95f23df391a1\r\nWINDOWS\\system32\\s7otbxsx.dll (this is the original legitimate\r\nSTEP 7 file which has been renamed by the malware)\r\n5b855cff1dba22ca12d4b70b43927db7\r\nThe following files may be found in WinCC/STEP7 Project directories.\r\nFilename and Path Hash\r\n\\GraCS\\cc_alg.sav ad19fbaa55e8ad585a97bbcddcde59d4\r\n\\GraCS\\cc_tag.sav Hash may vary\r\n\\GraCS\\cc_tlg7.sav d102bdad06b27616babe442e14461059\r\n\\GraCS\\db_log.sav b834ebeb777ea07fb6aab6bf35cdf07f\r\nIn infected projects, the malicious *.sav files are stored in the GraCS subdirectory within a project’s root directory.\r\nThis can occur in compressed or zipped project files. It appears that the malware specifically looks for demo\r\nprojects commonly installed as part of the WinCC software. If any of these malicious *.sav files are found, it is\r\nlikely that the malware has injected malicious stored procedures into one or more of the project’s database files. If\r\nany of these malicious *.sav files are detected, please contact ICS-CERT for further assistance.\r\nMITIGATION\r\nFor information regarding Stuxnet mitigations, please refer to ICSA-10-238-01B – Stuxnet Mitigations.\r\nOrganizations should follow their established internal procedures if any suspected malicious activity is observed\r\nand report their findings to ICS-CERT for tracking and correlation against other incidents. ICS-CERT reminds\r\nhttps://us-cert.cisa.gov/ics/advisories/ICSA-10-272-01\r\nPage 2 of 3\n\norganizations that proper impact analysis and risk assessment should be performed prior to taking defensive\r\nmeasures.\r\nThe Control System Security Program also provides a recommended practices section for control systems on the\r\nUS-CERT website. Several recommended practices are available for reading or download, including Improving\r\nIndustrial Control Systems Cybersecurity with Defense-in-Depth Strategies.\r\nSource: https://us-cert.cisa.gov/ics/advisories/ICSA-10-272-01\r\nhttps://us-cert.cisa.gov/ics/advisories/ICSA-10-272-01\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://us-cert.cisa.gov/ics/advisories/ICSA-10-272-01"
	],
	"report_names": [
		"ICSA-10-272-01"
	],
	"threat_actors": [],
	"ts_created_at": 1775434864,
	"ts_updated_at": 1775791248,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a6ab839505050a2f5a2cce4a2b7bb7e70bb37499.pdf",
		"text": "https://archive.orkl.eu/a6ab839505050a2f5a2cce4a2b7bb7e70bb37499.txt",
		"img": "https://archive.orkl.eu/a6ab839505050a2f5a2cce4a2b7bb7e70bb37499.jpg"
	}
}