TrojanDownloader:Win32/Cutwail.Y is a trojan that connects to a remote IP address to download other malware. It also prevents the firewall service from running in the infected system.
Installation
TrojanDownloader:Win32/Cutwail.Y drops the following files in the Windows folder.
- services.exe
- file.bat
- adobe.bat
Note that a legitimate Windows file also named services.exe exists in the Windows system folder.
It registers its currently-running process as a service by adding the following registry entry:
Adds value: "del"
With data: "<malware file>"
To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\services
It also creates the following autostart entry for its dropped copy so that it runs every time Windows starts:
Adds value: "services"
With data: "%windir%\services.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
Payload
Disables Windows Firewall
TrojanDownloader:Win32/Cutwail.Y modifies the system registry to disable the Windows Firewall service:
Adds value: "FirewallDisableNotify"
With data: "1"
To subkey: HKLM\SOFTWARE\Microsoft\Security Center
Adds value: "Start"
With data: "4"
To subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Adds value: "EnableFirewall"
With data: "0"
To subkey: HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
Adds value: "EnableFirewall"
With data: "0"
To subkey: HKLM\Software\Policies\Microsoft\WindowsFirewall\StandardProfile
The file dropped by Cutwail.Y as file.bat is also used to disable Windows Firewall by running the following command:
netsh firewall set opmode DISABLE
It also tries to allow Cutwail.Y to connect to the Internet without being blocked by the firewall by running the following command:
netsh firewall add allowedprogram <malware file> allowed ENABLE
Runs Other Malware
The file dropped by Cutwail.Y as adobe.bat is used to run the dropped services.exe. It may also run a file that is detected as
Spammer:Win32/Tedroo.I.
Downloads Other Malware
Cutwail.Y connects to 66.232.113.61 via TCP port 80 to download additional malware.
Analysis by Andrei Florin Saygo
