[gR1]

~WTR4141.tmp (~25Kb) file (which I've renamed to dll.dll for convenience)

It's not clear: have you remained the original name or "dll.dll"? If the name was not original it will not perform regsvr32 operation from LNK so the installation will be incomplete.

Possibly this is the point.

I forgot to mention that I've also tried with various names for the ~25Kb file, ~wtr.dll, ~wtr.tmp, etc. including ~WTR4141.tmp (original name), but not one worked as desired.
I'll attach what I currently have, if someone is kind to take a look, I'll appreciate it. :)
I'm probably making a mistake in the .lnk file somewhere... :/

stux.zip

Pass: infected
(509.49 KiB) Downloaded 165 times

[EP_X0FF]

Official patch for LNK "feature" has been released.

[__Genius__]

Anybody has been analyzed this malware throughly?

[Mehdi]

As you know, the machines infected with Stuxnet, call back to C&C servers with a DATA field that starts with 66a96e28 .
This DATA is encrypted (XOR-ed) with a 31 byte key that I think this key is embedded within the DLL.
Do you know what's the key? or how we can decode the DATA field?
Thanks

[__Genius__]

According to kaspersky labs : Stuxnet malware utilized 4 different zero day vulnerability for spreading purposes .
http://www.securelist.com/en/blog/2291/ ... e_MS10_061

[EP_X0FF]

Anybody has been analyzed this malware throughly?

Well it is not surprise and not secret anymore.
Stuxnet is (c) Mossad and it's main target was atomic plant in Busher, Iran.

[gjf]

Stuxnet is (c) Mossad and it's main target was atomic plant in Busher, Iran.

Proof links? Al it is just a rumor?

[swirl]

Proof links? Al it is just a rumor?

I don't think we will have any sort of proof.. but seems a plausible hypothesis
given that stuxnet spreaded mostly in Iran and considering it's final aim.
Most of the media hype and analysis focused on the .LNK vuln and in the later days on
the 3 more vulns included but I didn't found much about WHAT was the aim
of the worm: lots of articles on how it spreaded but not much on what it was
supposed to do, except this one http://www.langner.com/en/index.htm

my 2 cents ;)

[gjf]

Actually it was not Iran, but India and Indonesia:

But there is another statistics:

so there is no only one opinion.

BTW it was found Stuxnet is intended to get access to Siemens WinCC, and I am not sure Germany have sold some software and industrial systems to Iran.

So it is not clear Iran is primary target. That's why I've asked about proof links.

[EP_X0FF]

India and Indonesia only because they have more computers.

Atomstroyexport has also business in India btw ;)

And everything was told one year ago :)

http://www.ynetnews.com/articles/0,7340 ... 60,00.html

What about Siemens, well it's used on Busher.

http://www.ynetnews.com/articles/0,7340 ... 63,00.html

As in fact sabotage seems to be was successful.