My Bitdefender
  • 0 Shopping Cart


Facebook Twitter Google Plus


~ 20 kB
(, TROJ_CUTWAIL.FZ, Win32:Cutwail-K [Trj], TrojanDownloader:Win32/Cutwail.AI)


- %username%.exe running on system
- presence of %username%.exe in %userprofile%\%username"
- increased internet activity

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Balazs BIRO, jr. virus researcher

Technical Description:

The Trojan (at the moment of writing) consists of three components:
- a downloader component, used to download other components
- a dropper component which dropps a driver
- a spammer component

When first run, the downloader component unpacks itself in memory, after which it copies itself to  userprofile%\%username%.exe and registers the copy to run at system startup using the key %username% in
having the value:
%userprofile%\%username% /i

After this it will delete itself.
It will also slowly inject itself into the processes running on the system. The synchronization between the running instances is achieved with the help of randomly named mutexes.

To protect itself it will constantly launch itself, do it's job and exit. The launched instance is doing the same thing. This makes it almost impossible to terminate because of the rapidly changing value of the Process Identifier.

It will try to connect to a valid server from a list of addresses. If it succeeds, it will download the other two components (the dropper and the spammer).

The dropper component will be executed first, it will be written to the "%temp%" directory with the name BN[number].tmp. After unpacking itself in memory it will drop a driver in the directory %windir%\system32\drivers\[name].sys where name can be one of the following: ntmd, fat16s, fat32s, pusi, gen_vok, ws2_32sik, netsik, port135sik, nicsk32, ksi32sk, systemntmi, securentm, fips32cup, ati64si, i386si, amd64si, acpi32.

Regardless of the file name, the symbolic link created by the driver will be ndis_ver2. If the driver is already present it can update it to a newer version.

After this it will delete itself.

The driver's job is to inject the downloader component (identical to the original downloader component) contained within it into services.exe from kernel mode.

The spammer component will be injected into svchost.exe, after this the victim's computer will become a spam-bot, sending unwanted emails.