Threat behavior
TrojanDropper:Win32/Cutwail.AD is a trojan that drops TrojanDownloader:Win32/Cutwail, a trojan that downloads and executes predefined malicious files.
Installation
When executed, TrojanDropper:Win32/Cutwail.AD drops a DLL to the System folder using a variant-specific filename, for example, one that drops the file "<system folder>\winnt32.dll". It modifies the registry to load the DLL at each Windows start, for example:
Adds value: "DLLName"
With data: "winnt32.dll,"
To subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WinNt32
TrojanDropper:Win32/Cutwail drops a device driver to the system folder using a random filename, for example, <system folder>\Mbl30.sys. It then adds two registry subkeys to ensure that it is loaded in safe mode, for example:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Mbl30.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Mbl30.sys
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for Windows 2000/NT is "C:\Winnt\System32"; and for Windows XP/Vista, it is "C:\Windows\System32".
Payload
Downloads and Executes Arbitrary Files
TrojanDropper:Win32/Cutwail.AD attempts to connect to one of the following remote hosts for possible downloading purposes:
208.66.195.71
66.232.113.80
217.170.77.146
208.66.194.232
Analysis by Chun Feng
Prevention