Email with subject “Hello Darling” contains Cutwail trojan

November 2, 2009 Leave a Comment

MX Lab intercepted new emails containing a new variant of the Cutwail trojan listening to the names Win32:Cutwail-AA (Avast) or W32/Trojan3.BLU (F-Prot). At Virus Total, only 11 of the 41 AV engines detect the trojan so the detection rate is quite low.

The messages comes from a spoofed email address and has the subject “Hello Darling”. It contains the attachment photo.zip and in the archive the 32 kB big file photo.exe is present.

The body of the email is very short:

Hi, how are you? My photos Which I promised in attached file

This Cutwail trojan will create the following files:

c:\2.tmp
c:\3.tmp
c:\4.tmp
c:\5.tmp
%UserProfile%\reader_s.exe
%System%\reader_s.exe
%System%\dllcache\ndis.sys

New processed are being created:

%System%\reader_s.exe – 49,152 bytes
%UserProfile%\reader_s.exe – 49,152 bytes

New memory pages created in the address space of the system process(es):

%System%\svchost.exe – 5,124,096 bytes
%System%\svchost.exe – 81,920 bytes

The following Registry Key was created:

HKEY_LOCAL_MACHINE\SOFTWARE\AGProtect

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
+ reader_s = “%System%\reader_s.exe”

so that reader_s.exe runs every time Windows starts
[HKEY_LOCAL_MACHINE\SOFTWARE\AGProtect]
+ Cfg = 09 00 00 00 BE 4B 00 00 4D EE 80 1F BF AC AC AC A5 AC B9 AC AC AC AC AC 7C AC 5E 5F 54 42 5A 5F 42 55 42 57 AC BA AC AC AC AC AC 7C AC 5A 5F 42 5F 5B 54 42 5F 5A 55 42 5B 57 AC B4 AC AC AC AC AC 7C AC 5F 55 58 42 5F 59 59 42 5F 5C 58 42 5E 5F 5C AC B

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
+ reader_s = “%UserProfile%\reader_s.exe”

Connecties with remote hosts are being established:

122.1.235.85:25
129.70.14.10:25
193.243.140.105:25
193.33.99.231:25
194.8.194.96:25
195.95.199.139:25
200.152.177.30:25
202.72.211.115:25
208.70.128.213:25
212.170.236.87:25
159.226.7.162:80
218.61.7.9:80
78.159.121.41:38811

The data requested from the remote server:

hxxp://5job5.cn/l2/1.php
hxxp://5job5.cn/l2/2.php

Since the Cutwail has in build in SMTP server it has the option to send out emails from the following addresses:

  • <blowzt37@rialvacuum.com>
  • <parted@rounbehler.com>
  • <monthly78@roubech.com>
  • <glowwormkv9@roy-iris.com>
  • <baronsd24@rell.com>
  • <redefinitionuxwa911@raymondalexander.com>
  • <plazasu51@royalpapyrus.com>
  • <wailingee927@realtorsathens.com>
  • <lieutenancyhtf51@remec.com>
  • <disapprobationsy8@retecinterface.com>
  • <amniocenteseskui32@rciinc.com>
  • <ceausescuyfi99@renoimage.com>
  • <balkmyq4@rowafil.com>
  • <digits9609@ramaker.com>
  • <steviek@rotatori.com>
  • <spangledgkuf4@rdg.boehringer-ingelheim.com>
  • <pennantslgm00@reepsappraisals.com>
  • <radiologyga491@rowla.com>

Virus Total link and MD5: 28790b4f272920a29340a9ddf2fd84aa.

Filed under Viruses Tagged with , , ,

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

Please log in to WordPress.com to post a comment to your blog.

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 108 other followers