TrojanDropper:Win32/Cutwail.gen!H

TrojanDropper:Win32/Cutwail.gen!H is a generic detection for a Trojan family that drops a system driver to conceal itself, and downloads additional malicious programs onto the infected computer. The functionality of the files that are downloaded may change, but Win32/Cutwail usually downloads a Trojan, which is able to send spam. Win32/Cutwail also uses rootkit and other defensive techniques to avoid detection and removal.
 
TrojanDropper:Win32/Cutwail.gen!H may arrive in the system as an attachment to a spammed email.

 

When executed, it attempts to drop a device driver, detected as VirTool:WinNT/Cutwail.K, into the system folder. The device driver's file name is randomly generated and is comprised of 3 characters followed by 2 digits, for example, "pvy57.sys".

 

It then modifies the system registry to allow the dropped driver to automatically execute as a service every time Windows starts, even when in Safe Mode. For example:

 

Adds value: "(default)"
With data: "driver"
To subkey: HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Pvy57.sys

 

Adds value: "(default)"
With data: "driver"
To subkey: HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Safeboot\Pvy57.sys

 

Adds value: "Type"
With data: "1"
To subkey: HKLM\SYSTEM\ControlSet001\Services\Pvy57

 

Adds value: "Type"
With data: "1"
To subkey: HKLM\SYSTEM\ControlSet003\Services\Pvy57

 

Systems in which Cutwail.gen!H is running may attempt to connect to the following remote hosts: