Virus Detail

Description

Back to top

Method of Infection

When executed, Cutwail drops one or two files to the %Windows%\System32\drivers directory or the %Temp% directory. 

It can call the first file either "<number>.sys", "cel90xbe.sys" or "restore.sys" and load the file into kernel memory before deleting it. In this scenario, <number> is determined by the time elapsed since the system was last restarted. Otherwise, it calls the file either "ip6fw.sys", "netdtect.sys" or "secdrv.sys" and installs the file as a service named Ip6Fw, NetDetect or Secdrv respectively. At the time of publication, recent variants only used the filename of "secdrv.sys".

Variants may drop a second file, "runtime.sys", and load it into kernel memory as a device driver. The trojan also creates registry entries, for example:

HKLM\SYSTEM\CurrentControlSet\Services\runtime\Start = 0x3
HKLM\SYSTEM\CurrentControlSet\Services\runtime\Type = 0x1 
HKLM\SYSTEM\CurrentControlSet\Services\runtime\ImagePath = "\??\%Windows%\System32\drivers\runtime.sys"

Cutwail contains code for a downloader, as detailed in the Payload section. More recent variants inject the code into an Internet Explorer process without saving it to disc. Earlier variants usually write the file to %Temp%\wuauclt.exe but have also used filenames including "services.exe" and "systems_.exe".

This downloader generally attempts to update Cutwail to the latest variant. The update file goes through a number of extra installation steps before eventually running the file described above. The installation procedure for the downloader varies between earlier and later variants.

Downloader Installation for Recent Variants

Recent variants drop a file, usually to %Windows%\System32\drivers\runtime2.sys, and create the following registry entries:

HKLM\SYSTEM\CurrentControlSet\Services\runtime2\Start = 0x3 
HKLM\SYSTEM\CurrentControlSet\Services\runtime2\Type = 0x1 
HKLM\SYSTEM\CurrentControlSet\Services\runtime2\ErrorControl = 0x1 
HKLM\SYSTEM\CurrentControlSet\Services\runtime2\ImagePath = "\??\%Windows%\System32\drivers\runtime2.sys"

The trojan loads "runtime2.sys" into kernel memory as a device driver, deleting the installer after it has run.

Cutwail may drop the file to %Windows%\System32\drivers\runtime2.sy_ if an existing "runtime2.sys" is already loaded on the system. The installer signals the old driver file, requesting that it replace itself with the new one.

The device driver drops a file to %Windows%\Temp\startdrv.exe. It also creates the following registry entries to ensure the driver loads on system startup, even if the system is booted into safe mode:

HKLM\SYSTEM\CurrentControlSet\Services\runtime2\ImagePath = "\SystemRoot\system32\drivers\runtime2.sys" 
HKLM\SYSTEM\CurrentControlSet\Services\runtime2\Type = 0x1 
HKLM\SYSTEM\CurrentControlSet\Services\runtime2\Start = 0x1 
HKLM\SYSTEM\CurrentControlSet\Services\runtime2\DependOnGroup = "File System" 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\runtime2.sys\(Default) = "Driver" 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\runtime2.sys\(Default) = "Driver" 

The following registry entry also ensures that "startdrv.exe" runs on system startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\startdrv = "%Windows%\Temp\startdrv.exe" 

The driver checks at system startup and reinstates "startdrv.exe" or any of the registry entries if they have been removed.

Downloader Installation for Earlier Variants

Earlier Cutwail variants drop a device driver to %Windows%\System32\main.sys and create the following registry entries:

HKLM\SYSTEM\CurrentControlSet\Services\EXAMPLE\Start = 0x1 
HKLM\SYSTEM\CurrentControlSet\Services\EXAMPLE\Type = 0x1 
HKLM\SYSTEM\CurrentControlSet\Services\EXAMPLE\ErrorControl = 0x1 
HKLM\SYSTEM\CurrentControlSet\Services\EXAMPLE\ImagePath = "\??\%Windows%\System32\main.sys"

Some use the below registry key instead:

HKLM\SYSTEM\CurrentControlSet\Services\main1\

Cutwail may also drop %Windows%\System32\reg.sys and load the file as a driver into kernel memory. In this case, "reg.sys" creates the above registry entries. Once this is completed, Cutwail deletes the original dropper file. 

At next system restart, "main.sys" drops a further file to %Windows%\System32\wsys.dll. It also modifies the system file %Windows%\System32\winlogon.exe, then is deleted.

Before executing the normal "winlogon.exe" code, the modified "winlogon.exe" calls one of "wsys.dll"'s functions whenever a user logs in or "winlogon.exe" is restarted. This call causes a file to be dropped (usually to %Temp%\imapi.exe) and run. The file can also be dropped in the %Windows%\System32\drivers directory, and/or use the filename "svchost.exe".

The trojan deletes "imapi.exe" (and the downloader file, if present) once they have finished running, but these are re-dropped and run by "wsys.dll" at the next login.

Notes:
- %Windows% is a variable location. The malware determines the location of the current Windows folder by querying the operating system. The default installation location for the Windows directory for Windows 2000 and NT is C:\Winnt; for 95,98 and ME is C:\Windows; and for XP and Vista is C:\Windows.
- %Temp% is a variable location and refers to the directory designated for temporary files. The malware determines the location of the current Temp folder by querying the operating system. A typical path is "C:\Documents and Settings\<username>\Local Settings\Temp", or "C:\WINDOWS\TEMP".

Back to top

Payload

Downloads and Executes Arbitrary Files

Cutwail sends a number of parameters to one of the servers listed below, and attempts to download a file:

66.246.252.213
67.18.114.98 
74.52.122.130
208.66.194.221
208.66.194.241
66.246.252.215
66.246.72.173

If this fails, it tries to use one of the other servers from the list. Some variants use a smaller subset of this list of servers, and some instead attempt to contact the server at managed.unexpand.com.

The downloaded file may contain one or more encoded executables. Each executable may either be saved to %Temp%\<number>.exe and executed , or injected into a new  Internet Explorer process (or in earlier variants, a new copy of its own downloader) without being written to disk. In the former case, <number> is determined by the time elapsed since the system was last restarted, and is likely to be different to that of the .sys file (mentioned in the Method of Installation section above).

At the time of publication, Cutwail generally downloads, saves and executes the latest Cutwail variant. It also injects up to three executables without saving them (as mentioned above in the Method of Infection section). These files usually allow for the sending of bulk e-mail, but this may change as the content of the download changes.

One example download, containing three files to be injected, is described below:

Sends Bulk Email

One executable harvests e-mail addresses from files in the %UserProfile% directory and all subdirectories. It searches files whose extensions begin with the following:

.txt
.adb
.asp
.dbx
.eml
.fpt
.htm
.inb
.mbx
.php
.pmr
.sht
.tbb
.wab

Harvested addresses are saved to C:\as.txt and posted to 208.66.195.169.

A second executable contacts a server at 216.195.58.17. This returns a list of web servers, search parameters and other details. Various servers from this list are contacted and provided with random search parameter values from the list. The results appear to be used to generate email subject lines and possibly message bodies.

The third executable connects to a server at 208.66.195.162. This may provide it with a list of email recipients and other e-mail parameters. It then attempts to send the email to these recipients.

Rootkit Functionality

Cutwail's rootkit functionality appears to prevent registry modifications from being detected by security and monitor programs. It may also monitor a list of running processes. Most variants also hide files and registry entries associated with Cutwail.

Analysis by David Wood

Back to top