Home / malwarePDF  

TrojanDropper:Win32/Cutwail.AL


First posted on 18 June 2009.
Source: SecurityHome

Aliases :

TrojanDropper:Win32/Cutwail.AL is also known as Also Known As:Spy-Agent.bv.gen.b (McAfee), Trojan.Kobcka.IB (BitDefender), Mal/Pushdo-A (Sophos).

Explanation :

TrojanDropper:Win32/Cutwail.AL is a member of Win32/Cutwail - a multi-component family of malware that downloads and executes arbitrary files. Downloaded files may be executed from disk or injected directly into other processes. Whilst the functionality of the files that are downloaded is variable, Cutwail usually downloads another trojan which is used to send spam. Cutwail also employs a rootkit and other defensive techniques to avoid detection and removal. This particular variant injects another Cutwail component into a process on the affected system, and may download and execute arbitrary files.

Symptoms
System ChangesThe following system changes may indicate the presence of this malware:

  • The presence of the following files:
    <system folder>
    s32net.exe
  • The presence of the following registry modifications:
    Adds value: "rs32net"
    With data: "<system folder>
    s32net.exe"
    To subkey: HKLMSoftwareMicrosoftWindowsCurrentVersionRun


  • TrojanDropper:Win32/Cutwail.AL is a member of Win32/Cutwail - a multi-component family of malware that downloads and executes arbitrary files. Downloaded files may be executed from disk or injected directly into other processes. Whilst the functionality of the files that are downloaded is variable, Cutwail usually downloads another trojan which is used to send spam. Cutwail also employs a rootkit and other defensive techniques to avoid detection and removal. This particular variant injects another Cutwail component into a process on the affected system, and may download and execute arbitrary files.

    Installation
    TrojanDropper:Win32/Cutwail.AL copies itself to <system folder>
    s32net.exe and modifies the registry to execute this copy at each Windows start: Adds value: "rs32net"
    With data: "<system folder>
    s32net.exe"
    To subkey: HKLMSoftwareMicrosoftWindowsCurrentVersionRun Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:WinntSystem32; and for XP and Vista is C:WindowsSystem32.

    Payload
    Injects additional Cutwail components
    TrojanDropper:Win32/Cutwail.AL may inject TrojanDownloader:Win32/Cutwail.S into the svchost.exe process. Downloads arbitrary files
    TrojanDropper:Win32/Cutwail.AL attempts to connect to IP address 94.247.3.46 via TCP port 80 and sends a GET request. This mechanism may be used to download arbitrary files, including other malware or Win32/Cutwail components.

    Analysis by Wei Li

    Last update 18 June 2009

     

    TOP