Win32/Cutwail is a multi-component family of trojans that download and execute arbitrary files. Downloaded files may be executed from disk or injected directly into other processes. Whilst the functionality of the files that are downloaded is variable, Cutwail's purpose is often to send spam. Cutwail may employ a rootkit and other defensive techniques to avoid detection and removal.
This component is used to send spam.
Spammer:Win32/Cutwail.gen!C is injected into the %windir%\system32\svchost.exe process by other Cutwail variants/components. When running, it may drop the following files:
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
Spammer:Win32/Cutwail.gen!C may contact the following IP addresses in order to receive configuration instructions:
The trojan may also make a number of outbound connection attempts via port 25 to the following servers in order to test for e-mail-sending capability:
After receiving configuration data from a remote controller and testing the affected machine's capabilities, this trojan may be used to send bulk unwanted e-mail (i.e. spam).
Analysis by Marian Radu
The following system changes may indicate the presence of Spammer:Win32/Cutwail.gen!C: