The main Trojan module includes a kernel driver responsible for penetrating a machine's security, a DLL library that communicates with C&C servers, configures other modules and runs executable code, and a configuration file with instructions on how to do all that.
There is also a keylogger designed to capture data from the initial victim as well as any Duqu seeks out on an infected network.
Duqu is hard to identify because its configuration changes drastically from one infection to another. When it was first discovered there were at least 13 driver files that could use different methods and signatures to penetrate new systems. Each installation used different checksums and file names.
It's not clear from either the victims or Duqu's methods who its specific targets are or what information its authors are after.
Symantec's Duqu whitepaper has the specifics on the structure and capabilities of previous Duqu versions (PDF).
Wasn't Duqu busted already?
It's a little surprising that Duqu's authors are charging ahead with the same virus and apparently the same goals, despite wide public recognition of both the virus and its intentions, according to Vikram Thakur, principal security response manager at Symantec.
"Although we do not have all of the information regarding this infection, the emergence of this new file does show that the attackers are still active," Symantec's blog reads.
"I think when you invest as much money as invested into Duqu and Stuxnet to create this flexible framework, it's impossible to simply throw it away and start from zero," according to Costin Raiu, director of Kaspersky Lab's global research and analysis team.
Previous Duqu version partially written using mysterious variant of C.
On Monday Kaspersky announced it had cracked the mystery of the code previous versions of Duqu used to communicate with C&C servers, which looked as if it had been programmed using an unknown new language.