Threat behavior
Virus:Win32/Cutwail.gen!A is a generic detection for
Win32/Cutwail; a multi-component family of malware that downloads and executes arbitrary files.
Virus:Win32/Cutwail.gen!A is mostly used to install additional Cutwail components, and other malware on an affected machine.
In general, the Cutwail family is used to compromise machines and direct them in various ways at the attacker's will, usually for monetary gain. This could include using the affected machine to:
- Distribute additional malware
- Send spam
- Generate 'pay per click' advertising revenue
- Harvest e-mail addresses
- Break captchas
Its components are varied, but include:
- Trojan downloaders and droppers
- Spammers
- Viruses
Cutwail also employs a rootkit and other defensive techniques to avoid detection and removal.
Installation
Virus:Win32/Cutwail.gen!A is a generic detection of files that contain:
- an encrypted copy of a clean Windows system driver
-
an encrypted copy of a malicious loader (detected as Trojan:WinNT/Cutwail.A)
These drivers are loaded dynamically without ever being written to disk. The malicious loader (Trojan:WinNT/Cutwail.A) injects the downloading payload executable (for example, TrojanDownloader:Win32/Cutwail.AW) to services.exe.
Payload
Downloads and executes arbitrary files
The payload is performed by the downloading component previously injected to services.exe, for example TrojanDownloader:Win32/Cutwail.AW.
We have observed TrojanDownloader:Win32/Cutwail.AW trying to connect to one or more of the following remote hosts in order to download and execute arbitrary files:
174.37.194.134
68.232.187.4
75.126.159.19
38.99.171.179
89.149.254.213
89.149.244.23
black.nightphantom.com
cheburash.com
Additional information
TrojanDownloader:Win32/Cutwail.AW may also change the following registry entry to ensure the TCP port number used is not greater than 65534.
Set value: "MaxUserPort"
With data: 65534
To subkey: HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Analysis by Chun Feng
Prevention