Follow:

 

Spammer:Win32/Cutwail.gen!C


Win32/Cutwail is a multi-component family of trojans that download and execute arbitrary files. Downloaded files may be executed from disk or injected directly into other processes. Whilst the functionality of the files that are downloaded is variable, Cutwail's purpose is often to send spam. Cutwail also employs a rootkit and other defensive techniques to avoid detection and removal.
 
This component is used to send spam.


What to do now

Manual removal is not recommended for this threat. Use Microsoft Security Essentials or another up-to-date scanning and removal tool to detect and remove this threat and other unwanted software from your computer. For more information on Microsoft security products, see http://www.microsoft.com/protect/products/computer/default.mspx.

Threat behavior

Win32/Cutwail is a multi-component family of trojans that download and execute arbitrary files. Downloaded files may be executed from disk or injected directly into other processes. Whilst the functionality of the files that are downloaded is variable, Cutwail's purpose is often to send spam. Cutwail may employ a rootkit and other defensive techniques to avoid detection and removal.
 
This component is used to send spam.
Installation
Spammer:Win32/Cutwail.gen!C is injected into the %windir%\system32\svchost.exe process by other Cutwail variants/components. When running, it may drop the following files:
  • <system folder>\drivers\dumplog.exe
  • <system folder>\drivers\nktest.sys
  • <system folder>\drivers\nkv2.sys
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
Payload
Sends Spam
Spammer:Win32/Cutwail.gen!C may contact the following IP addresses in order to receive configuration instructions:
  • 216.195.56.25
  • 216.195.61.215
  • 216.195.61.62
  • 216.195.55.77
  • 216.195.50.221
  • 208.66.194.240
The trojan may also make a number of outbound connection attempts via port 25 to the following servers in order to test for e-mail-sending capability:
  • mxs.mail.ru
  • gmail-smtp-in.l.google.com
  • gsmtp183.google.com
  • in1.smtp.messagingengine.com
  • mail7.digitalwaves.co.nz
After receiving configuration data from a remote controller and testing the affected machine's capabilities, this trojan may be used to send bulk unwanted e-mail (i.e. spam).
 
Analysis by Marian Radu

Symptoms

System Changes
The following system changes may indicate the presence of Spammer:Win32/Cutwail.gen!C:
  • Presence of the following files:
    <system folder>\drivers\dumplog.exe
    <system folder>\drivers\nktest.sys
    <system folder>\drivers\nkv2.sys

Prevention


Alert level: Severe
First detected by definition: 1.45.287.0
Latest detected by definition: 1.197.1225.0 and higher
First detected on: Oct 07, 2008
This entry was first published on: May 29, 2008
This entry was updated on: May 17, 2010

This threat is also detected as:
  • Email-Worm.Win32.Agent.bx (Kaspersky)
  • Spy-Agent.bv (McAfee)
  • W32/Smallworm.BDM (Norman)
  • Mal/Basine-C (Sophos)