Home / malware TrojanDownloader:Win32/Cutwail.AJ
First posted on 16 April 2009.
Source: SecurityHomeAliases :
TrojanDownloader:Win32/Cutwail.AJ is also known as Also Known As:Trojan.Win32.Agent.byjd (Kaspersky), Troj/Meredr-Fam (Sophos), Win32/Wigon.JX (ESET).
Explanation :
TrojanDownloader:Win32/Cutwail.AJ is a member of Win32/Cutwail - a family of trojans which download and execute arbitrary files. Downloaded files may be executed from disk or injected directly into other processes. Whilst the functionality of the files that are downloaded is variable, Cutwail usually downloads a component which is used to send spam. Cutwail also employs a rootkit and other defensive techniques to avoid detection and removal.
Symptoms
There are no obvious symptoms that indicate the presence of this malware on an affected machine.
TrojanDownloader:Win32/Cutwail.AJ is a member of Win32/Cutwail - a family of trojans which download and execute arbitrary files. Downloaded files may be executed from disk or injected directly into other processes. Whilst the functionality of the files that are downloaded is variable, Cutwail usually downloads a component which is used to send spam. Cutwail also employs a rootkit and other defensive techniques to avoid detection and removal.
Installation
When executed TrojanDownloader:Win32/Cutwail.AJ copies itself to the following location:
%UserProfile%\%UserName%.exe Note: %UserProfile% is a variable location defined by the malware by querying the operating system. A typical location would be C:Documents and Settings<user> or C:Users<user>. It modifies the registry to execute this copy at each Windows start:
To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionRun
Adds value: "<%UserName%>"
With data: "%UserProfile%\%UserName%.exe /i" Trojan:Win32/Cutwail.AJ may then inject its code into the svchost.exe process. It also creates the following mutexes:
abcd
ajsdoasjdoasjdasoidjaosdjoasjdaosijdsad
Payload
Modifies System Security SettingsTrojanDownloader:Win32/Cutwail.AJ bypasses the firewall by executing the following command:
"netsh firewall set allowedprogram <<Malware file name>> ENABLE" Downloads and Executes Arbitrary Files
TrojanDownloader:Win32/Cutwail.AL attempts to connect to one of the following IP addresses, presumably to download and execute arbitrary files - this could include additional malware:
94.247.2.95
74.54.77.82
74.54.135.202
97.74.115.222
75.125.238.10
68.178.255.165
92.62.101.118
Analysis by Elda DimakilingLast update 16 April 2009