Home / malwarePDF  

Trojan:Win32/Cutrinka.A


First posted on 04 February 2009.
Source: SecurityHome

Aliases :

Trojan:Win32/Cutrinka.A is also known as Also Known As:W32/Belka.worm (McAfee), Trojan.Win32.VB.dlq (Kaspersky), Mal/VB-F (Sophos), Win32/SillyFDC.BO (CA).

Explanation :

Trojan:Win32/Cutrinka.A is a trojan that may shut the system down. Prior to this action, it may display a message that the system will be shut down in ten seconds.

Symptoms
System ChangesThe following system changes may indicate the presence of this malware:

  • The presence of the following files:
    <system folder>sevcst.exe
    <system folder>
    av32.exe
    <current folder>UnknownPictures.exe
    %windir%science.exe
    %windir%configsevcst.exe
  • The presence of the following registry modifications:
    Added value: "Windows Host Services"
    With data: "<system folder>sevcst.exe"
    To subkey: HKLMSoftwareMicrosoftWindowsCurrentVersionRun

    Modified value: "Shell"
    With data: "explorer.exe %windir%configsevcst.exe"
    Original data: "explorer.exe"
    To subkey: HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogon
  • The display of a message informing the user that the system will be shut down in ten seconds.
  • The computer may shut down without any user action.


    • Trojan:Win32/Cutrinka.A is a trojan that may shut the system down. Prior to this action, it may display a message that the system will be shut down in ten seconds.

    Installation
    Upon execution, Trojan:Win32/Cutrinka.A drops a copies of itself:
  • <system folder>sevcst.exe
  • <system folder>
    av32.exe
  • <current folder>UnknownPictures.exe
  • %windir%science.exe
  • %windir%configsevcst.exe
    • Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:WinntSystem32; and for XP and Vista is C:WindowsSystem32. It then modifies the system registry to enable its dropped copies to automatically run when Windows starts and when a user logs in: Adds value: "Windows Host Services"
    With data: "<system folder>sevcst.exe"
    To subkey: HKLMSoftwareMicrosoftWindowsCurrentVersionRun Modifies value: "Shell"
    With data: "explorer.exe %windir%configsevcst.exe"
    Original data: "explorer.exe"
    To subkey: HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogon

    Payload
    Shuts Down the Affected SystemTrojan:Win32/Cutrinka.A may issue a command to shut down the system. Prior to this action, it may display a message that the system will shut down in ten seconds.

    Analysis by Andrei Florin Saygo

    Last update 04 February 2009

     

    TOP

    Malware :

    Family: