Threat behavior
TrojanDropper:Win32/Cutwail.T is a Trojan that drops a system driver to conceal itself, and downloads additional malicious programs onto the infected computer. Downloaded files may be executed from disk or injected directly into another process. Win32/Cutwail uses a rootkit and other defensive techniques to avoid detection and removal.
Installation
When executed, TrojanDropper:Win32/Cutwail.T drops the following files:
-
<system folder>\drivers\runtime.sys (detected as VirTool:WinNT/Cutwail.gen!B)
-
<system folder>\drivers\[3 letters 2 digits].sys, for example, Yjo31.sys, (detected as VirTool:WinNT/Cutwail.F)
TrojanDropper:Win32/Cutwail.T modifies the registry in order to install its device driver:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\runtime
This Trojan also runs a hidden instance of Internet Explorer, and injects code into this process.
TrojanDropper:Win32/Cutwail.T may create the following file, that acts as a marker for infection:
Payload
Downloads and Executes Arbitrary Files
The injected code connects to any of the following IP addresses to download unwanted software, or malicious code:
208.66.194.234
208.66.194.241
66.246.252.213
66.246.252.215
66.246.72.173
67.18.114.98
Additional Information
This Trojan may arrive in spammed e-mails that have a file attachment such as "card.scr", and subject lines similar to the following:
"You have card"
"Card from Adult Sex Finder"
"Card from Adult Friend Finder"
Prevention
