Home / malware TrojanDownloader:Win32/Cutwail.AI
First posted on 01 May 2009.
Source: SecurityHomeAliases :
TrojanDownloader:Win32/Cutwail.AI is also known as Also Known As:Trojan.Win32.Rabbit.e (Kaspersky), Mal/Pushdo-A (Sophos), Trojan.Dropper.Kobcka.Gen.1 (BitDefender), Cutwail.gen.c (McAfee).
Explanation :
TrojanDownloader:Win32/Cutwail.AI is a trojan that drops another malware in the system. It attempts to bypass the Windows firewall to connect to a specific IP address to download other malware.
Symptoms
There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptom(s). Since this threat drops another malware detected as TrojanDownloader:Win32/Cutwail.AJ, the presence of TrojanDownloader:Win32/Cutwail.AJ may also be a symptom of this threat.
TrojanDownloader:Win32/Cutwail.AI is a trojan that drops another malware in the system. It attempts to bypass the Windows firewall to connect to a specific IP address to download other malware.
Payload
Drops Other Malware
TrojanDownloader:Win32/Cutwail.AI drops and executes the following file in the computer:
%UserProfile%<User Name>.exe - detected as TrojanDownloader:Win32/Cutwail.AJ It then modifies the system registry so that its dropped file runs every time Windows starts: Adds value: "<User Name>"
With data: "%UserProfile%<User Name>.exe"
To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionRun where <User Name> is any user name used in the system, for example, Administrator or Guest. Downloads Other Files
TrojanDownloader:Win32/Cutwail.AI injects code into the process smss.exe that attempts to allow the malware process to bypass the Windows firewall. Once connected to the Internet, it connects to the following IP address to download other possibly malicious files: 208.43.162.82 The above IP address is not accessible as of this writing.
Analysis by Andrei Florin SaygoLast update 01 May 2009
