Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:TR/Drop.Agent.saf.2
Date discovered:23/06/2011
Type:Trojan
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
File size:34.816 Bytes
MD5 checksum:427C740704D7C196D1E65E15298437CB
VDF version:7.11.10.77 - Thursday, June 23, 2011
IVDF version:7.11.10.77 - Thursday, June 23, 2011

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  TrendMicro: TROJ_CUTWAIL.LOL
   •  Sophos: Mal/SpyEye-L
   •  Microsoft: TrojanDownloader:Win32/Cutwail.BE


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows 7


Side effects:
   • Downloads files
   • Drops files
   • Registry modification
   • Steals information

 Files It copies itself to the following location:
   • %HOME%\%random character string%.exe



The following files are created:

%TEMPDIR%\MSWQ%letter%.tmp
%TEMPDIR%\MSWQ%letter%.tmp

 Registry The following registry key is continuously in an infinite loop added in order to run the process after reboot.

–  [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "%random character string%"="%HOME%\%random character string%.exe"

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "Regedit32"="%SYSDIR%\regedit.exe"



The following registry keys are added:

– [HKCU\Software\Microsoft\Windows\CurrentVersion]
   • "%random character string%"=%hex values%

– [HKCU\Software\Microsoft]
   • "OSVersion"="%number%"

– [HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile\AuthorizedApplications\List\%SYSDIR%]
   • "svchost.exe"="%SYSDIR%\svchost.exe:*:Enabled:Microsoft Office"

– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile\AuthorizedApplications\List\%SYSDIR%]
   • "svchost.exe"="%SYSDIR%\svchost.exe:*:Enabled:Microsoft Office"

– [HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
   • "MaxUserPort"=dword:0000FFFE

– [HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters]
   • "MaxUserPort"=dword:0000FFFE

 Mailing Search addresses:
It searches the following file for email addresses:
   • html

 Backdoor Contact server:
All of the following:
   • **********.37.197.156:443
   • **********.37.249.208:443
   • **********.37.249.209:443
   • **********g1452.com:443
   • **********od3.net:443
   • **********ass.org:443
   • **********ed.in:443
   • **********s5.ru:443
   • **********ve1.com:443
   • **********onn.in:443

As a result it may send information and remote control could be provided.

Sends information about:
    • Cached passwords
    • Collected Email addresses
    • Collected information described in stealing section


Remote control capabilities:
    • Send emails

 Stealing It tries to steal the following information:

– Passwords from the following programs:
   • SmartFTP
   • TurboFTP
   • CuteFTP
   • MS IE
   • WS_FTP
   • FileZilla
   • Total Commander
   • FAR

 Injection – It injects itself as a remote thread into a process.

    Process name:
   • svchost.exe


 Miscellaneous Accesses internet resources:
   • www.whatsmyip.org

 File details Programming language:
The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Andrei Ilie on Wednesday, August 10, 2011
Description updated by Andrei Ilie on Friday, August 12, 2011

Back . . . .