Home Malware Programs Trojans Cutwail

Cutwail

Posted: October 17, 2008

Cutwail is a family of spambots, or Trojans that exploit your PC's resources to send spam messages (typically via e-mail). These messages may distribute more threats to third parties and degrade the performance of your PC. Some members of the Cutwail family also include other attacks directed against the infected computer, such as attacks for collecting information. Symptoms of a possible Cutwail infection always should be responded with by using anti-malware products to remove Cutwail and all components related to Cutwail.

Cutwail: Converting Your Computer to a Threat Distribution Hub

Cutwail is a family of Trojans known primarily for their attacks directed against external targets, rather than against the infected PC. Cutwail uses e-mail spam to distribute other threats, including installers for itself, but does so without showing any visible indications of the activities taking place. Spam messages may disguise themselves as invoices, package notifications or business transactions, but can be identified by their use of unusual file attachments and embedded hyperlinks. Some PC users may notice Cutwail infections by their side effects, which include excessive usage of system resources, with corresponding software instability, slowdowns and crashes. Nonetheless, the majority of Cutwail's attacks don't display observable symptoms.

Along with sending spam e-mail, Cutwail may be a party to additional attacks targeting the original, compromised machine:

  • Cutwail may collect passwords from popular e-mail clients or your Web browser. Compromised e-mail accounts may be used to send Cutwail's spam. Chrome, Internet Explorer, Firefox, Outlook, Windows Live Mail, IncrediMail and Thunderbird are examples of programs targeted by these attacks.
  • Cutwail may download and launch other files, including installing other Trojans. Threats that malware researchers have linked to Cutwail's downloads include Vawtrak, Fareit spyware, Security Cleaner Pro (a rogue system scanner), Vobfus and the Pushdo Trojan.

Cutting Off Cutwail Before It E-mails Your Friends

Cutwail's components use a combination of stealth memory processes (that don't display from the Windows Task Manager), rootkit techniques and SSDT function hooks to block their detection or removal. Accordingly, malware experts recommend using the same anti-malware tools you'd use against rootkits, spyware and other high-level threats for identifying or removing Cutwail. Personal information also should be re-secured to prevent criminals from exploiting any information that Cutwail may have transferred to them during its stay on your hard drive.

Cutwail's favorite Trojan-distributing exploits also make it clear that PC users will continue to need to monitor suspicious e-mail messages for the indefinite future. With at least seven years of history behind it and no forthcoming slowdowns in its anticipated operations, Cutwail gives everyone a clear reason to scan e-mail attachments, avoid embedded links and delete suspicious messages.

Some components of Cutwail, such as corrupted drivers, may overwrite original Windows files. A recovery may necessitate repairing Windows appropriately, rather than deleting the files without replacing them.

File System Modifications

  • The following files were created in the system:
    # File Name
    1 outpuk24[1].exe
    2 setupapi.dll

Registry Modifications

  • The following newly produced Registry Values are:
    HKEY..\..\..\..{Subkeys}HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, startkey=[%SYSTEM%]\setup.dllHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, startkey=[%SYSTEM%]\winlog.exeHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, startkey=[%WINDOWS%]\winnows.exeHKEY_CURRENT_USER\software\dimawareHKEY_CURRENT_USER\software\wgetHKEY_LOCAL_MACHINE\software\dimawareHKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9b71d88c-c598-4935-c5d1-43aa4db90836}HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{c4de5b15-4ffe-4c02-8cb3-cad24a33562b}HKEY_LOCAL_MACHINE\software\wgetHKEY..\..\..\..{RegistryKeys}HKEY_CLASSES_ROOT\clsid\{36b0a261-ea24-6be5-6027-7fc4035dd69b}HKEY_CLASSES_ROOT\clsid\{51704c8a-007a-8362-32d7-c2ee36ce9214}HKEY_CLASSES_ROOT\clsid\{7b5a24ee-1a07-53ab-eb60-eb908c88e935}HKEY_CLASSES_ROOT\clsid\{97b59ad2-1228-70b8-ca0b-b7594efcbe07}HKEY_CLASSES_ROOT\clsid\{f7405b81-92e2-ba64-ee73-933738d57403}HKEY_LOCAL_MACHINE\system\currentcontrolset001\control\safeboot\minimal\ctl_w32.sysHKEY_LOCAL_MACHINE\system\currentcontrolset001\control\safeboot\network\ctl_w32.sysHKEY_LOCAL_MACHINE\system\currentcontrolset001\services\ctl_w32HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_ctl_w32HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_ndnet1HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_runtimeHKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_runtime2HKEY_LOCAL_MACHINE\system\currentcontrolset\services\ndnet1HKEY_LOCAL_MACHINE\system\currentcontrolset\services\runtimeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\..{RunKeys}HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run, startdrv=HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run, startdrv=[%WINDOWS%]\Temp\startdrv.exeHKEY_LOCAL_MACHINE\Software\[APPLICATION]\Microsoft\Windows\CurrentVersion\Uninstall..{Uninstaller}xvid

Related Posts

One Comment

  • Melissa says:

    Trojan virus help need info not removing?my AVG dcteeted a virus called Trojan horse PSW.Onlinegames3.ATEEim not asking you how to remove it because i already know how i just want to know what does this virus do?

Loading...