Home / malwarePDF  

TrojanDownloader:Win32/Cutwail.AN


First posted on 01 May 2009.
Source: SecurityHome

Aliases :

TrojanDownloader:Win32/Cutwail.AN is also known as Also Known As:Win32/SillyP2P.BZ (CA), Trojan.Win32.Agent.btjt (Kaspersky), Trojan.Agent.HKVQ (VirusBuster), Win32/AutoRun.Agent.LT (ESET).

Explanation :

TrojanDownloader:Win32/Cutwail.AN is the generic detection for the DLL component of members of the Win32/Cutwail malware family. Its primary function is to load certain code into a system process, which allows it to connect to and download files from a specific remote server.

Symptoms
There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptom(s).

TrojanDownloader:Win32/Cutwail.AN is the generic detection for the DLL component of members of the Win32/Cutwail malware family. Its primary function is to load certain code into a system process, which allows it to connect to and download files from a specific remote server.

Installation
TrojanDownloader:Win32/Cutwail.AN usually arrives in the system by being dropped and installed by other members of the Win32/Cutwail malware family. Some samples may be installed in the system as a service, while others may be loaded into the process svchost.exe when the system starts.

Payload
Downloads Arbitrary FilesTrojanDownloader:Win32/Cutwail.AN injects code into other system processes, for example, services.exe. The injected code may try to connect to certain predetermined IP addresses using port 80 to report infection of the system and to retrieve downloading commands. The addresses it is known to connect to are:

  • 218.93.202.103
  • 221.230.2.208
  • 61.158.167.52
  • TrojanDownloader:Win32/Cutwail.AN may download arbitrary files according to the commands it retrieves from these IP addresses.

    Analysis by Shawn Wang

    Last update 01 May 2009

     

    TOP