Home / malwarePDF  

TrojanDownloader:Win32/Cutwail.CJ


First posted on 13 November 2014.
Source: Microsoft

Aliases :

There are no other names known for TrojanDownloader:Win32/Cutwail.CJ.

Explanation :

Threat behavior TrojanDownloader:Win32/Cutwail.CJ is a member of Win32/Cutwail - a multi-component family of malware that downloads and executes arbitrary files. This functionality is mostly used to install additional Cutwail components, and other malware on an affected computer. In general, the Cutwail family is used to compromise computers and direct them in various ways at the attacker's will, usually for monetary gain. This could include using the affected computer to distribute additional malware, send spam, generate 'pay per click' advertising revenue, harvest email addresses, and break captchas. Its components are varied, but include trojan downloaders and droppers, spammers, and viruses. Cutwail also employs a rootkit and other defensive techniques to avoid detection and removal.

Installation

TrojanDownloader:Win32/Cutwail.CJ copies itself to the following locations:

  • \kbkqlaxn.exe
  • c:\documents and settings\administrator\kbkqlaxn.exe
Note: refers to a variable location that the malware determines by querying your operating system. The default installation location for the system folder in Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32. The malware changes the following registry entries so that it runs each time you start your PC:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "kbkqlaxn"
With data: "c:\windows\system32\kbkqlaxn.exe"

Payload

Contacts remote hosts
TrojanDownloader:Win32/Cutwail.CJ may contact the following remote hosts using port 443:

  • 192.99.211.60
  • 83.172.8.61

Commonly, malware does this to:
  • Confirm Internet connectivity
  • Report a new infection to its author
  • Receive configuration or other data
  • Download and run files, including updates or other malware
  • Receive instructions from a remote hacker
  • Upload data taken from your PC

This malware description was produced and published using automated analysis of file SHA1 afe19a2a9f376d3d8876dc9a71e3173c21818b1f.Symptoms

System changes

The following could indicate that you have this threat on your PC:

  • You have these files:

\kbkqlaxn.exe
c:\documents and settings\administrator\kbkqlaxn.exe
  • You see these entries or keys in your registry:
Sets value: "kbkqlaxn"
With data: "c:\windows\system32\kbkqlaxn.exe"
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Last update 13 November 2014

 

TOP

Malware :