Win32/Cutwail is a Trojan which downloads and executes arbitrary files. Downloaded files may be executed from disk or injected directly into other processes. Whilst the functionality of the files that are downloaded is variable, Cutwail usually downloads a Trojan which is able to send spam. Cutwail also employs a rootkit and other defensive techniques to avoid detection and removal.
System Changes
Win32/Cutwail uses advanced stealth (rootkit) functionality in order to hide its presence. Hence, it is unlikely that any symptoms of a Win32/Cutwail infection would be obvious (or even ascertainable) to an affected user.
Win32/Cutwail is a Trojan which downloads and executes arbitrary files. Downloaded files may be executed from disk or injected directly into other processes. Whilst the functionality of the files that are downloaded is variable, Cutwail usually downloads a Trojan which is able to send spam. Cutwail also employs a rootkit and other defensive techniques to avoid detection and removal.
Installation
When executed Cutwail, attempts to drop a device driver to disk, overwriting the legitimate original. The filename differs depending on the operating system version of the affected machine. The filename used may be one of the following:
-
%SystemRoot%\System32\drivers\ip6fw.sys
-
%SystemRoot%\System32\drivers\secdrv.sys
-
%SystemRoot%\System32\drivers\netdtect.sys
Cutwail then attempts to start the corresponding kernel driver by name:
This driver attempts to restore various system hooks to their original unhooked state. For example, any System Service Descriptor Table (SSDT) hook will be reverted. By doing this, Cutwail may be able to circumvent security applications or even other malware which may be installed on the system.
Payload
Provides Advanced Stealth Functionality
Cutwail drops a second device driver to disk:
- %SystemRoot%\System32\drivers\runtime.sys
and installs it via the following registry modifications (for example):
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\runtime\ImagePath= "\\??\\C:\\WINDOWS\\System32\\drivers\\runtime.sys"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\runtime\Type = 0x1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\runtime\Start = 0x3
It then loads the driver. This driver is able to stealth processes for a supplied process id (PID) by directly manipulating the EPROCESS structure.
Cutwail usually downloads an updated version of itself (see Downloads and Executes Arbitrary Files section below for additional detail). This updated version drops another driver which implements additional rootkit functionality.
The updater attempts to write the device driver to:
and install it via the following registry modifications (for example):
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\runtime2\ImagePath = "\\??\\C:\\WINDOWS\\System32\\drivers\\runtime2.sys"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\runtime2\Type = 0x1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\runtime2\ErrorControl = 0x1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\runtime2\Start = 0x3
It then loads the driver.
If 'runtime2.sys' already exists, the new device driver is written to the alternate location:
The existing device driver is then instructed to update itself with the new copy.
The driver also creates the following registry keys to ensure that is loaded in safe mode:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\runtime2.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\runtime2.sys
This driver then drops an executable to:
creating the following registry entry to ensure it is run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\startdrv = "C:\WINDOWS\Temp\startdrv.exe"
Inhibits Removal
Cutwail is not only able to hide itself, it can prevent the removal of its files and registry entries. To hide and protect its registry entries it hooks the following functions via SSDT:
ZwDeleteValueKey()
ZwEnumerateKey()
ZwEnumerateValueKey()
ZwOpenKey()
ZwSetValueKey()
To protect files on disk it implements a file system filter driver. The Irp handlers IRP_MJ_CREATE and IRP_MJ_DIRECTORY_CONTROL are hooked for the FastFAT or NTFS driver objects, depending on the filesystem type.
Downloads and Executes Arbitrary Files
Cutwail attempts to launch a copy of Internet Explorer from the following location:
- %ProgramFiles%\Internet Explorer\iexplore.exe
It then injects the downloading component into this process, where it then executes. Cutwail instructs 'runtime.sys' to stealth the "iexplore.exe" process. After this, runtime.sys is deleted.
The downloading component creates the mutex: k4j.32H_f7z_Z6e.g8G0.
It attempts to connect to one of the following remote hosts to download a software bundle.
66.246.72.173
67.18.114.98
208.66.194.241
66.246.252.213
66.246.252.215
208.66.194.234
Cutwail creates a file during the download process, selecting the name randomly from the following list:
%windir%\system32\9_exception.nls
%windir%\system32\8_exception.nls
%windir%\system32\7_exception.nls
%windir%\system32\6_exception.nls
%windir%\system32\5_exception.nls
%windir%\system32\4_exception.nls
%windir%\system32\3_exception.nls
%windir%\system32\2_exception.nls
%windir%\system32\1_exception.nls
%windir%\system32\0_exception.nls
Cutwail may also create the following registry key value:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Themes\LastTheme\Last
Executables from within the downloaded software bundle may be written to disk or injected directly into Internet Explorer. Those which are written to disk, are given a random numerical filename and are written to the %temp% directory, for example, %temp%\1193135.exe
Take the following steps to help prevent infection on your system:
-
Enable a firewall on your computer.
-
Get the latest computer updates.
-
Use up-to-date antivirus software.
-
Use caution with attachments and file transfers.
Enable a firewall on your computer
Use a third-party firewall product or turn on the Microsoft Windows XP Internet Connection Firewall.
To turn on the Internet Connection Firewall in Windows XP
-
Click Start, and click Control Panel.
-
Click Network and Internet Connections. If you do not see Network and Internet Connections, click Switch to Category View.
-
Click Change Windows Firewall Settings.
-
Select On.
-
Click OK.
Get the latest computer updates
Updates help protect your computer from viruses, worms, and other threats as they are discovered. You can use the Automatic Updates feature in Windows XP to automatically download future Microsoft security updates while your computer is on and connected to the Internet.
To turn on Automatic Updates in Windows XP
-
Click Start, and click Control Panel.
-
Click System.
-
Click Automatic Updates.
-
Select a setting. Microsoft recommends selecting Automatic. If you do not choose Automatic, but you choose to be notified when updates are ready, a notification balloon appears when new downloads are available to install. Click the notification balloon to review and install the updates.
Use up-to-date antivirus software
Most antivirus software can detect and prevent infection by known malicious software. To help protect you from infection, you should always run antivirus software that is updated with the latest signature files. Antivirus software is available from several sources. For more information, see
http://www.microsoft.com/athome/security/downloads/default.mspx.
Use caution with attachments and file transfers
Exercise caution with e-mail and attachments received from unknown sources, or received unexpectedly from known sources. Use extreme caution when accepting file transfers from known or unknown sources.
