HOME > VIRUS ALERTS


VIRUS ALERTS

Cutwail Trojan

Original issue date: February 05, 2008

It has been observed that a Trojan named Cutwail is circulating widely.
It propagates by attaching a copy of itself to the email messages with
message body which lures users into opening up the attachment to get
malware installed on their system.Once installed it tries to get connect to
some remote servers to download and execute malicious files onto the
infected system.

One of these malicious files harvests email addresses recursively from files in % UserProfile% directory, saved to C:\as.txt and sent to remote server. The second executable file tries to get connect to some remote server and gets subject lines and message bodies for sending email messages to harvested email addresses.

Other downloaded files are used to update Trojan to its latest variant.
This Trojan also have the functionality to open a backdoor on the infected system which is used by a remote attacker to perform the malicious activities. It also installs a rootkit to avoid its detection.

Aliases: Trojan.Pandex [Symantec], Win32/Cutwail [Microsoft]

Upon execution, the Trojan :

  • Drops one or two files to the %Windows%\System32\drivers
    directory or the %Temp% directory.
  • Attempts to drop a device driver to location “%SystemRoot%\
    System32\drivers” overwriting the legitimate original. The filename differs depending on the version of operating system version of the affected machine. The filename used may be ip6fw.sys, secdrv.sys, netdtect.sys
  • Attempts to start the corresponding kernel driver by name:
    • Ip6Fw
    • Secdrv
    • NetDetect
  • Drops a second file, "runtime.sys", and load it into kernel memory as a device driver
  • Creates following following registry keys:
    • HKLM\SYSTEM\CurrentControlSet\Services\runtime\Start
      = 0x3
    • HKLM\SYSTEM\CurrentControlSet\Services\runtime\Type
      = 0x1
    • HKLM\SYSTEM\CurrentControlSet\Services\runtime\Image
      Path = "\??\%Windows%\System32\drivers\runtime.sys"
    • HKLM\SYSTEM\CurrentControlSet\Services\runtime2\Start = 0x3
    • HKLM\SYSTEM\CurrentControlSet\Services\runtime2\Type = 0x1
    • HKLM\SYSTEM\CurrentControlSet\Services\runtime2\Error
      Control = 0x1
    • HKLM\SYSTEM\CurrentControlSet\Services\runtime2\
      Image Path = "\??\%Windows%\System32\drivers\
      runtime2.sys"
    • HKLM\SYSTEM\CurrentControlSet\Services\runtime2\
      Image Path = "\SystemRoot\system32\drivers\
      runtime2.sys"
    • HKLM\SYSTEM\CurrentControlSet\Services\runtime2\Type = 0x1
    • HKLM\SYSTEM\CurrentControlSet\Services\runtime2\Start = 0x1
    • HKLM\SYSTEM\CurrentControlSet\Services\runtime2\
      DependOn Group = "File System"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\
      Minimal\ runtime2.sys\(Default) = "Driver"
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\
      Network\ runtime2.sys\(Default) = "Driver"
    • HKLM\SYSTEM\CurrentControlSet\Services\EXAMPLE\Start = 0x1
    • HKLM\SYSTEM\CurrentControlSet\Services\EXAMPLE\Type = 0x1
    • HKLM\SYSTEM\CurrentControlSet\Services\EXAMPLE\
      ErrorControl = 0x1
    • HKLM\SYSTEM\CurrentControlSet\Services\EXAMPLE\
      ImagePath = "\??\%Windows%\System32\main.sys"
  • Creates the following registry entry to ensure its execution on every system startup:
    • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
      Run\startdrv = "%Windows%\Temp\startdrv.exe"
  • Searches files with extensions begining with the following strings
    to harvest email addresses.
    .txt, .adb, .asp, .dbx, .eml, .fpt, .htm, .inb, .mbx, .php, .pmr, .sht, .tbb, .wab

In view of rapid propagation of the Cutwail Trojan, users are advised to implement the following countermeasures:

  • Search for the malicious files and processes created/initiated by
    Cutwail Trojan mentioned above and delete the same
  • Search for the registry entries mentioned above made by the
    Cutwail Trojan and delete the same
  • Install and maintain updated anti-virus software at gateway and
    desktop level
  • Install and maintain updated anti-spyware software at desktop
    level
  • Keep up-to-date on patches and fixes on the operating system
  • Install and maintain Desktop Firewall and block the ports which
    are not required

 References

http://www.symantec.com/security_response/writeup.jsp?docid
=2007-042001-1448-99&tabid=2
http://www.microsoft.com/security/encyclopedia/details.aspx?name=
Win32%2fCutwail
http://ca.com/securityadvisor/virusinfo/virus.aspx?ID=62470

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003