TrojanDropper:Win32/Cutwail.E is the generic detection for a Trojan family that drops a system driver to conceal itself, and downloads additional malicious programs onto the infected computer. Downloaded files may be executed from disk or injected directly into another process. The functionality of the files that are downloaded may change, but Win32/Cutwail usually downloads a Trojan which is able to send spam. Win32/Cutwail also uses rootkit and other defensive techniques to avoid detection and removal.
Installation
When executed, Win32/Cutwail attempts to drop a device driver to disk, overwriting the legitimate original.
The filename differs depending on the operating system version. It may be one of:
%SystemRoot%\System32\drivers\ip6fw.sys
%SystemRoot%\System32\drivers\secdrv.sys
%SystemRoot%\System32\drivers\netdtect.sys
Win32/Cutwail then attempts to start the corresponding kernel driver by name:
Ip6Fw, Secdrv, NetDetect
This driver will attempt to restore various system hooks to their original unhooked state. For example, any System Service Descriptor Table (SSDT) hook will be reverted. By doing this, Win32/Cutwail may be able to circumvent security applications or even other malware which may be installed on the system.
Win32/Cutwail then drops a second device driver to disk as %SystemRoot%\System32\drivers\runtime.sys, and installs it via the following registry modifications:
Adds values with data:
ImagePath= "%SystemRoot%\System32\drivers\runtime.sys"
Type = 0x1
Start = 0x3
Within subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\runtime\
Win32/Cutwail then loads the driver. This driver is able to stealth processes for a supplied process id (PID) by directly manipulating the EPROCESS structure.
Payload
Downloads and Executes Arbitrary Files
Win32/Cutwail attempts to launch a copy of Internet Explorer from the following location:
%ProgramFiles%\Internet Explorer\iexplore.exe
It then injects the downloading component into this process, where it then executes. Win32/Cutwail then instructs 'runtime.sys' to stealth the "iexplore.exe" process. After this, runtime.sys is deleted.
The downloading component creates the mutex: k4j.32H_f7z_Z6e.g8G0
It then attempts to connect to one of the following remote hosts to download a software bundle.
66.246.72.173
67.18.114.98
208.66.194.241
66.246.252.213
66.246.252.215
208.66.194.234
Cutwail creates a file during the download process, selecting the name randomly from the following list:
%windir%\system32\9_exception.nls
%windir%\system32\8_exception.nls
%windir%\system32\7_exception.nls
%windir%\system32\6_exception.nls
%windir%\system32\5_exception.nls
%windir%\system32\4_exception.nls
%windir%\system32\3_exception.nls
%windir%\system32\2_exception.nls
%windir%\system32\1_exception.nls
%windir%\system32\0_exception.nls
Cutwail may also create the following registry key value:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Themes\LastTheme\Last
Additional Information
Executables from within the downloaded software bundle may be written to disk or injected directly into Internet Explorer. Those which are written to disk, are given a random numerical filename and are written to the %temp% directory.
eg: %temp%\1193135.exe
