Home / malware Trojan.Dropper.Cutwail.AT
First posted on 21 November 2011.
Source: BitDefenderAliases :
Trojan.Dropper.Cutwail.AT is also known as Trojan.Win32.Rabbit.bo, TROJ_CUTWAIL.FZ, Win32:Cutwail-K, [Trj], TrojanDownloader:Win32/Cutwail.AI.
Explanation :
The Trojan (at the moment of writing) consists of three components:
- a downloader component, used to download other components
- a dropper component which dropps a driver
- a spammer component
When first run, the downloader component unpacks itself in memory, after which it copies itself to userprofile%\%username%.exe and registers the copy to run at system startup using the key %username% in
HKCUSoftwareMicrosoftWindowsCurrentVersionRun
having the value:
%userprofile%\%username% /i
After this it will delete itself.
It will also slowly inject itself into the processes running on the system. The synchronization between the running instances is achieved with the help of randomly named mutexes.
To protect itself it will constantly launch itself, do it's job and exit. The launched instance is doing the same thing. This makes it almost impossible to terminate because of the rapidly changing value of the Process Identifier.
It will try to connect to a valid server from a list of addresses. If it succeeds, it will download the other two components (the dropper and the spammer).
The dropper component will be executed first, it will be written to the "%temp%" directory with the name BN[number].tmp. After unpacking itself in memory it will drop a driver in the directory %windir%system32drivers[name].sys where name can be one of the following: ntmd, fat16s, fat32s, pusi, gen_vok, ws2_32sik, netsik, port135sik, nicsk32, ksi32sk, systemntmi, securentm, fips32cup, ati64si, i386si, amd64si, acpi32.
Regardless of the file name, the symbolic link created by the driver will be ndis_ver2. If the driver is already present it can update it to a newer version.
After this it will delete itself.
The driver's job is to inject the downloader component (identical to the original downloader component) contained within it into services.exe from kernel mode.
The spammer component will be injected into svchost.exe, after this the victim's computer will become a spam-bot, sending unwanted emails.Last update 21 November 2011