Home / malware Trojan.Cutwail.Z
First posted on 21 November 2011.
Source: BitDefenderAliases :
Trojan.Cutwail.Z is also known as Backdoor.Win32.Small.zs, TrojanDownloader:Win32/Cutwail.gen!C, Troj/Agent-LNC, Trojan.Pandex.
Explanation :
This encrypted trojan, once run, will perform the following actions:
- create two copies of itself in the %SYSTEMROOT%System32 and %HOMEPATH%\%USERNAME% folders under the name reader_s.exe
- create a new process instance by running one of the newly created files
- delete the original file from the disk, keeping only the two copies
The second process instance will register itself at the system start-up by creating two new entries in HKCUSoftwareMicrosoftWindowsCurrentVersionRun and HKLMSoftwareMicrosoftWindowsCurrentVersionRun. This operation is repeated every 20 seconds.
In a separate thread, the malware will decrypt an embedded backdoor component. This component will be written into the memory space of a newly created instance of the legitimate svchost.exe by using the WriteProcessMemory API.
The backdoor component will create an external connection for sending data and receiving commands. The data collected and sent over the internet contains only basic system information from the infected host (like number of processors or the system time).Last update 21 November 2011
