Email with subject “Hello Darling” contains Cutwail trojan

November 2, 2009 by mxlab Leave a Comment

MX Lab intercepted new emails containing a new variant of the Cutwail trojan listening to the names Win32:Cutwail-AA (Avast) or W32/Trojan3.BLU (F-Prot). At Virus Total, only 11 of the 41 AV engines detect the trojan so the detection rate is quite low.

The messages comes from a spoofed email address and has the subject “Hello Darling”. It contains the attachment photo.zip and in the archive the 32 kB big file photo.exe is present.

The body of the email is very short:

Hi, how are you? My photos Which I promised in attached file

This Cutwail trojan will create the following files:

c:\2.tmp
c:\3.tmp
c:\4.tmp
c:\5.tmp
%UserProfile%\reader_s.exe
%System%\reader_s.exe
%System%\dllcache\ndis.sys

New processed are being created:

%System%\reader_s.exe – 49,152 bytes
%UserProfile%\reader_s.exe – 49,152 bytes

New memory pages created in the address space of the system process(es):

%System%\svchost.exe – 5,124,096 bytes
%System%\svchost.exe – 81,920 bytes

The following Registry Key was created:

HKEY_LOCAL_MACHINE\SOFTWARE\AGProtect

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
+ reader_s = “%System%\reader_s.exe”

so that reader_s.exe runs every time Windows starts
[HKEY_LOCAL_MACHINE\SOFTWARE\AGProtect]
+ Cfg = 09 00 00 00 BE 4B 00 00 4D EE 80 1F BF AC AC AC A5 AC B9 AC AC AC AC AC 7C AC 5E 5F 54 42 5A 5F 42 55 42 57 AC BA AC AC AC AC AC 7C AC 5A 5F 42 5F 5B 54 42 5F 5A 55 42 5B 57 AC B4 AC AC AC AC AC 7C AC 5F 55 58 42 5F 59 59 42 5F 5C 58 42 5E 5F 5C AC B

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
+ reader_s = “%UserProfile%\reader_s.exe”

Connecties with remote hosts are being established:

122.1.235.85:25
129.70.14.10:25
193.243.140.105:25
193.33.99.231:25
194.8.194.96:25
195.95.199.139:25
200.152.177.30:25
202.72.211.115:25
208.70.128.213:25
212.170.236.87:25
159.226.7.162:80
218.61.7.9:80
78.159.121.41:38811

The data requested from the remote server:

hxxp://5job5.cn/l2/1.php
hxxp://5job5.cn/l2/2.php

Since the Cutwail has in build in SMTP server it has the option to send out emails from the following addresses:

  • <blowzt37@rialvacuum.com>
  • <parted@rounbehler.com>
  • <monthly78@roubech.com>
  • <glowwormkv9@roy-iris.com>
  • <baronsd24@rell.com>
  • <redefinitionuxwa911@raymondalexander.com>
  • <plazasu51@royalpapyrus.com>
  • <wailingee927@realtorsathens.com>
  • <lieutenancyhtf51@remec.com>
  • <disapprobationsy8@retecinterface.com>
  • <amniocenteseskui32@rciinc.com>
  • <ceausescuyfi99@renoimage.com>
  • <balkmyq4@rowafil.com>
  • <digits9609@ramaker.com>
  • <steviek@rotatori.com>
  • <spangledgkuf4@rdg.boehringer-ingelheim.com>
  • <pennantslgm00@reepsappraisals.com>
  • <radiologyga491@rowla.com>

Virus Total link and MD5: 28790b4f272920a29340a9ddf2fd84aa.

Filed under Viruses Tagged with , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <pre> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>