Need help? Ask the community or hire an expert.
Go to Avira Answers
Date discovered:23/06/2011
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
File size:34.816 Bytes
MD5 checksum:427C740704D7C196D1E65E15298437CB
VDF version: - Thursday, June 23, 2011
IVDF version: - Thursday, June 23, 2011

 General Method of propagation:
   • No own spreading routine

   •  TrendMicro: TROJ_CUTWAIL.LOL
   •  Sophos: Mal/SpyEye-L
     Microsoft: TrojanDownloader:Win32/Cutwail.BE

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
    Windows Vista
    Windows 7

Side effects:
   • Downloads files
   • Drops files
   • Registry modification
   • Steals information

 Files It copies itself to the following location:
   • %HOME%\%random character string%.exe

The following files are created:


 Registry The following registry key is continuously in an infinite loop added in order to run the process after reboot.

   • "%random character string%"="%HOME%\%random character string%.exe"

   • "Regedit32"="%SYSDIR%\regedit.exe"

The following registry keys are added:

   • "%random character string%"=%hex values%

   • "OSVersion"="%number%"

   • "svchost.exe"="%SYSDIR%\svchost.exe:*:Enabled:Microsoft Office"

   • "svchost.exe"="%SYSDIR%\svchost.exe:*:Enabled:Microsoft Office"

   • "MaxUserPort"=dword:0000FFFE

   • "MaxUserPort"=dword:0000FFFE

 Mailing Search addresses:
It searches the following file for email addresses:
   • html

 Backdoor Contact server:
All of the following:
   • **********.37.197.156:443
   • **********.37.249.208:443
   • **********.37.249.209:443
   • **********
   • **********
   • **********
   • **********
   • **********
   • **********
   • **********

As a result it may send information and remote control could be provided.

Sends information about:
     Cached passwords
     Collected Email addresses
     Collected information described in stealing section

Remote control capabilities:
     Send emails

 Stealing It tries to steal the following information:

Passwords from the following programs:
   • SmartFTP
   • TurboFTP
   • CuteFTP
   • MS IE
   • WS_FTP
   • FileZilla
   • Total Commander
   • FAR

 Injection It injects itself as a remote thread into a process.

    Process name:
   • svchost.exe

 Miscellaneous Accesses internet resources:

 File details Programming language:
The malware program was written in MS Visual C++.

Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Andrei Ilie on Wednesday, August 10, 2011
Description updated by Andrei Ilie on Friday, August 12, 2011

Back . . . .