Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:TR/Dldr.Cutwail.BA.28
Date discovered:13/03/2011
Type:Trojan
Subtype:Downloader
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Low
Damage Potential:Low to medium
Static file:Yes
File size:60.416 Bytes
MD5 checksum:97af57ce4937a43fd93fe0ae13544dc8
VDF version:7.10.09.164
IVDF version:7.11.04.178 - Sunday, March 13, 2011

 General Aliases:
   •  Kaspersky: Backdoor.Win32.Bifrose.dsgr
   •  F-Secure: Backdoor.Win32.Bifrose.dsgr
   •  Eset: Win32/Wigon.OT
   •  DrWeb: BackDoor.Bulknet.511


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops malicious files
   • Registry modification

 Files It copies itself to the following locations:
   • %SYSDIR%\wuaucldt.exe
   • %HOME%\wuaucldt.exe



It deletes the initially executed copy of itself.




It tries to execute the following files:

– Filename:
   • %SYSDIR%\wuaucldt.exe


– Filename:
   • %SYSDIR%\svchost.exe


– Filename:
   • %SYSDIR%\cmd.exe /c del %executed file%

 Registry The following registry keys are added in order to run the processes after reboot:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "wuaucldt"="%HOME%\wuaucldt.exe"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "wuaucldt"="%SYSDIR%\wuaucldt.exe"

 Backdoor Contact server:
All of the following:
   • www.jica.**********.jp:443 (TCP)
   • 200.192.14**********.87:443 (TCP)
   • 77.120.12**********.35:443 (TCP)
   • 91.196.**********.24:443 (TCP)
   • 109.72.12**********.165:443 (TCP)
   • 207.44.22**********.4:443 (TCP)
   • 202.218.17**********.179:443 (TCP)
   • spooky.cartoons.or**********.ua:443 (TCP)
   • 195.182.19**********.2:443 (TCP)
   • ssl876.locaweb.co**********.br:443 (TCP)
   • cps-h3.ep.sci.hokudai.**********.jp:443 (TCP)
   • www.aan**********.jp:443 (TCP)
   • itmedia.sma**********.jp:443 (TCP)
   • www.imagemfolheados.co**********.br:443 (TCP)
   • www.ris**********.jp:443 (TCP)
   • ssl.for**********.jp:443 (TCP)
   • sec**********.fox:443 (TCP)
   • masterkey.co**********.ua:443 (TCP)
   • www.mar**********.jp:443 (TCP)
   • g105.secure.**********.jp:443 (TCP)
   • 77.120.10**********.50:443 (TCP)
   • cg.ces.kyutech.**********.jp:443 (TCP)
   • bookweb.kinokuniya.**********.jp:443 (TCP)
   • 64.56.**********.34:443 (TCP)
   • 201.20.**********.207:443 (TCP)
   • 91.203.14**********.30:443 (TCP)
   • 64.56.**********.36:443 (TCP)
   • 193.23.**********.228:443 (TCP)
   • www.jaif.**********.jp:443 (TCP)
   • www.sextoy.co**********.br:443 (TCP)
   • m-repo.lib.meiji.**********.jp:443 (TCP)
   • 193.178.14**********.110:443 (TCP)
   • isu2.tup.**********.ua:443 (TCP)
   • 193.95.15**********.4:443 (TCP)
   • 64.79.19**********.143:443 (TCP)
   • wow.merlin.or**********.ua:443 (TCP)
   • loja.tray.co**********.br:443 (TCP)
   • bunker.or**********.ua:443 (TCP)
   • forums.ubu**********.jp:443 (TCP)
   • 168.218.19**********.240:443 (TCP)
   • weather.**********.ua:443 (TCP)
   • 208.110.**********.34:443 (TCP)
   • www.iknow.**********.jp:443 (TCP)
   • 69.57.12**********.35:443 (TCP)
   • 193.110.16**********.66:443 (TCP)
   • 210.157.**********.25:443 (TCP)
   • 210.147.**********.22:443 (TCP)
   • 204.13.24**********.107:443 (TCP)
   • www.digimer.co**********.br:443 (TCP)
   • www.gsec.keio.**********.jp:443 (TCP)
   • www.guiaseshop.co**********.br:443 (TCP)
   • www.mye**********.jp:443 (TCP)
   • center.umin.**********.jp:443 (TCP)
   • 208.110.**********.35:443 (TCP)
   • 82.193.12**********.190:443 (TCP)
   • 122.219.25**********.105:443 (TCP)
   • 211.133.13**********.87:443 (TCP)
   • 87.239.18**********.105:443 (TCP)
   • nodes.co**********.ua:443 (TCP)
   • www.saredrogarias.co**********.br:443 (TCP)
   • 201.76.**********.168:443 (TCP)
   • 173.222.**********.241:443 (TCP)
   • 64.41.14**********.74:443 (TCP)
   • 210.171.13**********.16:443 (TCP)
   • www.wolfram.**********.jp:443 (TCP)
   • 208.110.**********.36:443 (TCP)
   • www.rulez.or**********.ua:443 (TCP)
   • forum.gryada.or**********.ua:443 (TCP)
   • www.miltenyibiotec.**********.jp:443 (TCP)
   • 202.191.11**********.9:443 (TCP)
   • 219.99.16**********.41:443 (TCP)
   • 140.177.20**********.56:443 (TCP)
   • www.billboxrecords.co**********.br:443 (TCP)
   • 133.87.**********.189:443 (TCP)
   • www.stone.**********.ua:443 (TCP)
   • 76.164.22**********.58:443 (TCP)
   • direct.ips.**********.jp:443 (TCP)
   • 163.209.18**********.1:443 (TCP)
   • 203.79.**********.228:443 (TCP)
   • 219.94.15**********.204:443 (TCP)
   • www.okilogistics.**********.jp:443 (TCP)
   • 76.164.22**********.59:443 (TCP)
   • 69.72.14**********.166:443 (TCP)
   • www.mlh.**********.jp:443 (TCP)
   • 202.172.**********.253:443 (TCP)
   • 76.164.22**********.60:443 (TCP)
   • 202.214.**********.79:443 (TCP)
   • k.jfc.**********.jp:443 (TCP)
   • ss1.cor**********.jp:443 (TCP)
   • mst.co**********.ua:443 (TCP)
   • www.science-forum.**********.jp:443 (TCP)
   • www.imusica.co**********.br:443 (TCP)
   • 76.164.23**********.138:443 (TCP)
   • 164.46.22**********.120:443 (TCP)
   • 61.120.**********.37:443 (TCP)
   • 76.164.23**********.139:443 (TCP)


 Injection – It injects a backdoor routine into a process.

    Process name:
   • explorer.exe


 File details Programming language:
The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Petre Galan on Monday, June 27, 2011
Description updated by Petre Galan on Monday, June 27, 2011

Back . . . .