Cutwail trojan variant out in the wild

MX Lab is intercepting quite a lot of viruses these days. Since October 27th, 2009, when we reported about the Facebook Password Reset Confirmation-campaign, we notice an serious increase in viruses. We have now a new virus or trojan in the wild that listens to the name Trojan-Downloader:W32/Cutwail.CU (F-Secure) or Troj/Agent-LNR (Sophos). The email comes from a spoofed [...]


MX Lab is intercepting quite a lot of viruses these days. Since October 27th, 2009, when we reported about the “Facebook Password Reset Confirmation“-campaign, we notice an serious increase in viruses.

We have now a new virus or trojan in the wild that listens to the name Trojan-Downloader:W32/Cutwail.CU (F-Secure) or Troj/Agent-LNR (Sophos).

The email comes from a spoofed address but shows ‘boss’ in the from address and has the subject “get back to my office for more details”. The body of the emails is very short and only contains two lines of text:

Please read the attached letter and get back to my office for more details to proceed further.

Thanks and have a very nice day.

The attachment is named info.zip and has the executable info.exe after extraction.

Analysis of the file info.exe shows us that thos trojan procudes outbound traffic and has an build in SMTP server for sending out emails.

The files %UserProfile%\reader_s.exe, %System%\reader_s.exe and %System%\dllcache\ndis.sys are created on an infected system and the file %System%\drivers\ndis.sys is altered.

Two new processed are being created: %System%\reader_s.exe and %UserProfile%\reader_s.exe (both 53 kB) and a new memory page created in the address space of the system process(es) %System%\svchost.exe. Several Windows registry modifications ae also part of the infection.

The trojan will try to establish a connection with one of these hosts on port 25:

129.210.252.1
129.41.169.30
156.25.4.8
195.110.124.132
207.5.74.239
209.221.136.43
216.163.188.60
64.18.4.10
64.18.4.11
64.18.6.10

And a connection with the host 78.159.121.41 on port 38811.

The following emails could be used in virus or spam campaigns as senders:

  • < This e-mail address is being protected from spambots. You need JavaScript enabled to view it >
  • < This e-mail address is being protected from spambots. You need JavaScript enabled to view it >
  • < This e-mail address is being protected from spambots. You need JavaScript enabled to view it >
  • < This e-mail address is being protected from spambots. You need JavaScript enabled to view it >
  • < This e-mail address is being protected from spambots. You need JavaScript enabled to view it >
  • < This e-mail address is being protected from spambots. You need JavaScript enabled to view it >
  • < This e-mail address is being protected from spambots. You need JavaScript enabled to view it >
  • < This e-mail address is being protected from spambots. You need JavaScript enabled to view it >
  • < This e-mail address is being protected from spambots. You need JavaScript enabled to view it >
  • < This e-mail address is being protected from spambots. You need JavaScript enabled to view it >
  • < This e-mail address is being protected from spambots. You need JavaScript enabled to view it >
  • < This e-mail address is being protected from spambots. You need JavaScript enabled to view it >
  • < This e-mail address is being protected from spambots. You need JavaScript enabled to view it >
  • < This e-mail address is being protected from spambots. You need JavaScript enabled to view it >
  • < This e-mail address is being protected from spambots. You need JavaScript enabled to view it >
  • < This e-mail address is being protected from spambots. You need JavaScript enabled to view it >
  • < This e-mail address is being protected from spambots. You need JavaScript enabled to view it >
  • < This e-mail address is being protected from spambots. You need JavaScript enabled to view it >
  • < This e-mail address is being protected from spambots. You need JavaScript enabled to view it >
  • < This e-mail address is being protected from spambots. You need JavaScript enabled to view it >
  • < This e-mail address is being protected from spambots. You need JavaScript enabled to view it >

Virus Total permlink and MD5: fc9eaa5e85e9843ddb184c7197fc5e40.


Read Full Article
Written on Friday, 30 October 2009 11:46 by

Viewed 64 times so far.
Like this? Tweet it to your followers!
Published in Subscribe to the RSS feed of Network Security & Hacking News  Network Security & Hacking News / Subscribe to the RSS feed of Latest Security News  Latest Security News
Like this? Let your friends know now!

Rate this article

Latest articles from

Latest 'tweets' from GovernmentSecurity

  • News Update: Cyber war is coming, the impact could be huge: CBS News reports that cyber.. http://bit.ly/1tx1kr | #Security Link Monday, 09 November 2009 07:35
  • News Update: Tenable Network #Security Podcast - Episode 11: Welcome to the Tenable Netw.. http://bit.ly/2Iqd6G | Security Link Monday, 09 November 2009 07:35
  • News Update: Consent will be required for cookies in Europe: EDITORIAL: A law that dema.. http://bit.ly/3JYgip | #Security Link Monday, 09 November 2009 07:35
  • News Update: CBS 60 Minutes tackles cyber-terrorism: Could hackers get into the compute.. http://bit.ly/2d5Y21 | #Security Link Monday, 09 November 2009 07:35
  • Blog Update: We have launched the new GovernmentSecurity.org: We decided to launch th.. http://bit.ly/2G1SSF | #Security Link Saturday, 07 November 2009 17:38
blog comments powered by Disqus
back to top

Site Search

Disqus Tools