TROJ_CUTWAIL.LL
PLATFORM:
Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)
OVERALL RISK RATING:
DAMAGE POTENTIAL:
DISTRIBUTION POTENTIAL:
REPORTED INFECTION:
Threat Type: Trojan
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
TECHNICAL DETAILS
File Size: 44,032 bytes
File Type: EXE
Memory Resident: Yes
Initial Samples Received Date: 20 Mar 2013
Arrival Details
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This Trojan drops the following copies of itself into the affected system:
- %User Profile%\lykbuhojofeh.exe
(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)
Autostart Technique
This Trojan adds the following registry entries to enable its automatic execution at every system startup:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
lykbuhojofeh = %User Profile%\lykbuhojofeh.exe
Other Details
This Trojan connects to the following possibly malicious URL:
- {BLOCKED}.221.83
- {BLOCKED}dicap.at
- {BLOCKED}0.63.50
- {BLOCKED}2.12.204
- {BLOCKED}4.183.85
- {BLOCKED}.58.202
- {BLOCKED}.58.202
- {BLOCKED}.62.50
- {BLOCKED}.176.24
- {BLOCKED}41.196.91
- {BLOCKED}44.84.208
- {BLOCKED}2.205.213
- {BLOCKED}212.162.216
- {BLOCKED}97.73.212
- {BLOCKED}76.78.195
- {BLOCKED}184.27.202
- {BLOCKED}198.18.84
- {BLOCKED}4.113.193
- {BLOCKED}70.8.64
- {BLOCKED}41.17.193
- {BLOCKED}145.153.194
- {BLOCKED}195.214.195
- {BLOCKED}743957.arhn.rgs.ru
- {BLOCKED}243.59.199
- {BLOCKED}40.108.206
- {BLOCKED}182.104.192
- {BLOCKED}209.62.173
- {BLOCKED}202.162.108
- {BLOCKED}203.162.108
- {BLOCKED}198.162.108
- {BLOCKED}199.162.108
- {BLOCKED}224.30.64
- {BLOCKED}35.137.202
- {BLOCKED}9.55.65
- {BLOCKED}32.236.143
- {BLOCKED}82.78.166
- {BLOCKED}170.117.74
- {BLOCKED}92.201.173
- {BLOCKED}11.200.207
- {BLOCKED}20.5.207
- {BLOCKED}46.46.64
- {BLOCKED}0.91.208
- {BLOCKED}13.15.209
- {BLOCKED}98.202.213
- {BLOCKED}209.37.174
- {BLOCKED}89.53.212
- {BLOCKED}242.54.159
- {BLOCKED}76.21.147
- {BLOCKED}6.205.67
- {BLOCKED}1.24.24
- {BLOCKED}173.46.78
- {BLOCKED}25.37.170
- {BLOCKED}28.75.213
- {BLOCKED}57.31.114
- {BLOCKED}67.147.200
- {BLOCKED}108.32.72
- {BLOCKED}192.50.69
- {BLOCKED}120.248.87
- {BLOCKED}61.9.5
- {BLOCKED}4.87.208
- {BLOCKED}206.55.65
- {BLOCKED}52.65.62
- {BLOCKED}197.86.74
- {BLOCKED}124.3.195
- {BLOCKED}47.70.12
- {BLOCKED}86.98.82
- {BLOCKED}30.42.62
- {BLOCKED}233.95.220
- {BLOCKED}163.125.80
- {BLOCKED}203.227.193
- {BLOCKED}133.208.206
- {BLOCKED}16.40.188
- {BLOCKED}130.14.195
- {BLOCKED}169.93.204
- {BLOCKED}100.72.198
- {BLOCKED}41.216.15
- {BLOCKED}109.127.167
- {BLOCKED}1.9.147
- {BLOCKED}89.12.64
- {BLOCKED}34.70.180
- {BLOCKED}21.168.184
- {BLOCKED}3.86.209
- {BLOCKED}143.127.216
- {BLOCKED}160.221.37
- {BLOCKED}47.239.173
- {BLOCKED}bloguite.com
- {BLOCKED}6.168.192
- {BLOCKED}.91.155
- {BLOCKED}9.21.50
- {BLOCKED}31.112.212
- {BLOCKED}45.39.162
- {BLOCKED}76.100.94
- {BLOCKED}99.13.217
- {BLOCKED}3.86.209
- {BLOCKED}162.55.65
- {BLOCKED}01220020.sci.smolensk.ru
- {BLOCKED}02040611.sci.smolensk.ru
- {BLOCKED}03230707.sci.smolensk.ru
- {BLOCKED}03031616.sci.smolensk.ru
- {BLOCKED}192.50.69
- {BLOCKED}93.86.209
- {BLOCKED}65.144.202
- {BLOCKED}20.190.194
- {BLOCKED}39.61.92
- {BLOCKED}135.17.216
- {BLOCKED}182.104.192
- {BLOCKED}89.69.207
- {BLOCKED}3.86.209
- {BLOCKED}98.202.213
- {BLOCKED}4.131.210
- {BLOCKED}76.2.skpari.ru
- {BLOCKED}89.69.207
- {BLOCKED}168.11.204
- {BLOCKED}213.205.119
- {BLOCKED}168.249.80
- {BLOCKED}174.54.216
- {BLOCKED}206.55.65
- {BLOCKED}217.84.203
- {BLOCKED}7.227.212
- {BLOCKED}32.205.85
- {BLOCKED}6.5.103
- {BLOCKED}0.193.31
- {BLOCKED}146.56.195
- {BLOCKED}232.42.62
- {BLOCKED}160.76.63
- {BLOCKED}11.14.147
- {BLOCKED}140.71.82
- {BLOCKED}144.172.210
- {BLOCKED}148.197.192
- {BLOCKED}147.64.69
- {BLOCKED}237.86.74
- {BLOCKED}40.70.155
- {BLOCKED}66.157.209
- {BLOCKED}25.92.64
- {BLOCKED}24.30.64
- {BLOCKED}.165.137
- {BLOCKED}31.125.74
- {BLOCKED}41.125.74
- {BLOCKED}89.69.207
- {BLOCKED}52.245.207
- {BLOCKED}89.69.207
- {BLOCKED}10.73.208
- {BLOCKED}8.95.130
- {BLOCKED}3.3.212
- {BLOCKED}2.140.78
- {BLOCKED}50.210
- {BLOCKED}.75.77
- {BLOCKED}34.95.24
- {BLOCKED}9.44.62
- {BLOCKED}9.74.212
- {BLOCKED}7.54.66
- {BLOCKED}2.111.61
- {BLOCKED}9.205.74
- {BLOCKED}31.130.195
- {BLOCKED}84.70.217
- {BLOCKED}4.151.75
- {BLOCKED}31.130.195
- {BLOCKED}9.159.209
- {BLOCKED}2.63.50
- {BLOCKED}1.168.184
- {BLOCKED}2.1
- {BLOCKED}.229.94
- {BLOCKED}.6.66
- {BLOCKED}.44.199
- {BLOCKED}84.82.208
- {BLOCKED}11.52.72
- {BLOCKED}57.44.204
- {BLOCKED}3.104.62
- {BLOCKED}6.160.144
- {BLOCKED}55.160.144
- {BLOCKED}90.211.95
- {BLOCKED}2.13.72
- {BLOCKED}2.86.209
- {BLOCKED}45.13.213
- {BLOCKED}98.162.108
- {BLOCKED}99.162.108
- {BLOCKED}29.18.178
- {BLOCKED}85.26.58
- {BLOCKED}ates.eu
- {BLOCKED}r-hosting.de
- {BLOCKED}randever.de
- {BLOCKED}revents.nl
- {BLOCKED}rflashlight.de
- {BLOCKED}rphp.de
- {BLOCKED}rweb.nl
- {BLOCKED}rweb.nl.localdomain
- {BLOCKED}ry1.cz
- {BLOCKED}5.40.64
- {BLOCKED}0.126.134
- {BLOCKED}5.165.213
- {BLOCKED}.144.24
- {BLOCKED}02.63.50
- {BLOCKED}85.26.58
- {BLOCKED}00.188.205
- {BLOCKED}01.188.205
- {BLOCKED}2.101.141
- {BLOCKED}.159.5
- {BLOCKED}15.93.77
- {BLOCKED}24.255.46
- {BLOCKED}6.42.70
- {BLOCKED}1.46.207
- {BLOCKED}85.47.208
- {BLOCKED}24.150.66
- {BLOCKED}55.238.62
- {BLOCKED}6.235.180
- {BLOCKED}2.110.12
- {BLOCKED}4.13.144
- {BLOCKED}.210.141
- {BLOCKED}6.11.74
- {BLOCKED}1.45.173
- {BLOCKED}0.238.195
- {BLOCKED}86.116.194
- {BLOCKED}0.186.64
- {BLOCKED}.111.66
- {BLOCKED}.111.66
- {BLOCKED}39.177.81
- {BLOCKED}18.30.212
- {BLOCKED}57.164.184
- {BLOCKED}33.113.74
- {BLOCKED}6.255.46
- {BLOCKED}28.196.82
- {BLOCKED}6.27.211
- {BLOCKED}.43.86
- {BLOCKED}4.58.199
- {BLOCKED}51.29.64
- {BLOCKED}10.31.50
- {BLOCKED}47.18.69
- {BLOCKED}10.31.50
- {BLOCKED}30.163.109
- {BLOCKED}4.70.180
- {BLOCKED}.1.68
- {BLOCKED}6.169.202
- {BLOCKED}6.115.162
- {BLOCKED}08.115.162
- {BLOCKED}0.188.137
- {BLOCKED}34.70.180
- {BLOCKED}24.138.193
- {BLOCKED}71.166.209
- {BLOCKED}2.76.144
- {BLOCKED}30.163.109
- {BLOCKED}4.34.70
- {BLOCKED}4.207.206
- {BLOCKED}ine.fr
- {BLOCKED}ten.de
- {BLOCKED}.com
- {BLOCKED}bg
- {BLOCKED}ss995.com
- {BLOCKED}untant.com
- {BLOCKED}unting.ee
- {BLOCKED}internet.com
- {BLOCKED}e-dsl.de
- {BLOCKED}tate.com
- {BLOCKED}.gmail-smtp-in.l.google.com
- {BLOCKED}ysv.ru
- {BLOCKED}run.ru
- {BLOCKED}ales.ru
- {BLOCKED}ns-rb.ru
- {BLOCKED}-parusa.ru
- {BLOCKED}hta.org.ua
- {BLOCKED}on.rpdv.ru
- {BLOCKED}ican.edu
- {BLOCKED}a-vip.ru
- {BLOCKED}com.com
- {BLOCKED}navenue.com
- {BLOCKED}com.ua
- {BLOCKED}ettfurniture.com
- {BLOCKED}ne.de
- {BLOCKED}builders.com
- {BLOCKED}.izhnet.ru
- {BLOCKED}nsmail.com
- {BLOCKED}enworld.com
- {BLOCKED}elan.net
- {BLOCKED}a.gov.br
- {BLOCKED}cod.net
- {BLOCKED}grande.com
- {BLOCKED}ademarble.com
- {BLOCKED}olic.org
- {BLOCKED}rum.cz
- {BLOCKED}urytel.net
- {BLOCKED}rr.com
- {BLOCKED}ter.com
- {BLOCKED}addict.com
- {BLOCKED}kensys.com
- {BLOCKED}anet.fr
- {BLOCKED}ksville.com
- {BLOCKED}s-ic.com
- {BLOCKED}.net
- {BLOCKED}-internet.fr
- {BLOCKED}.com
- {BLOCKED}talnow.net
- {BLOCKED}com
- {BLOCKED}egeclub.com
- {BLOCKED}ections-etc.net
- {BLOCKED}aycorp.net
- {BLOCKED}so.com
- {BLOCKED}net.com.cy
- {BLOCKED}com.ua
- {BLOCKED}ondcpu.com
- {BLOCKED}bg
- {BLOCKED}cttv.com
- {BLOCKED}.cscdns.net
- {BLOCKED}.zenon.net
- {BLOCKED}.cscdns.net
- {BLOCKED}.name-services.com
- {BLOCKED}.zenon.net
- {BLOCKED}.name-services.com
- {BLOCKED}.name-services.com
- {BLOCKED}or.com
- {BLOCKED}onmount.com
- {BLOCKED}hlink.net
- {BLOCKED}om.net
- {BLOCKED}l.msn.com
- {BLOCKED}gotransbank.com
- {BLOCKED}gy-cars.com.ua
- {BLOCKED}nsalwen.com
- {BLOCKED}nsalwen.com.localdomain
- {BLOCKED}sville.net
- {BLOCKED}edu
- {BLOCKED}te.co.jp
- {BLOCKED}usu.edu
- {BLOCKED}t.net
- {BLOCKED}n.net
- {BLOCKED}ingc.on.ca
- {BLOCKED}dcity.net
- {BLOCKED}m.dk
- {BLOCKED}net.de
- {BLOCKED}atinriver.net
- {BLOCKED}l.com
- {BLOCKED}planeta.ru
- {BLOCKED}yrina.gazavia.gazprom.ru
- {BLOCKED}l-smtp-in.l.google.com
- {BLOCKED}ch
- {BLOCKED}eople.com
- {BLOCKED}my.com
- {BLOCKED}midco.net
- {BLOCKED}decom.net
- {BLOCKED}foot.mailshell.com
- {BLOCKED}ail.net
- {BLOCKED}iiantel.net
- {BLOCKED}ress.de
- {BLOCKED}tmail.com
- {BLOCKED}insville.net
- {BLOCKED}iail.com
- {BLOCKED}ail.com
- {BLOCKED}om
- {BLOCKED}ad.walt.play-mobile.ru
- {BLOCKED}pe.luck.mrwap.ru
- {BLOCKED}gey.mtg.gazprom.ru
- {BLOCKED}mtg.gazprom.ru
- {BLOCKED}com
- {BLOCKED}.ictn-service.ru
- {BLOCKED}.net
- {BLOCKED}lweb.ru
- {BLOCKED}om.br
- {BLOCKED}inet.com
- {BLOCKED}smtp.messagingengine.com
- {BLOCKED}rsey.com
- {BLOCKED}it.com
- {BLOCKED}telecom.net
- {BLOCKED}net
- {BLOCKED}mus.com.au
- {BLOCKED}u.net
- {BLOCKED}as.net
- {BLOCKED}i.edu
- {BLOCKED}.com
- {BLOCKED}vica.ru
- {BLOCKED}.cuny.edu
- {BLOCKED}edu
- {BLOCKED}ealth.org
- {BLOCKED}i.dk
- {BLOCKED}.natahost.ru
- {BLOCKED}.natahost.ru
- {BLOCKED}liit.ee
- {BLOCKED}ogy.net
- {BLOCKED}a.com
- {BLOCKED}er.com
- {BLOCKED}pa.com
- {BLOCKED}nsedtokill.com
- {BLOCKED}.com
- {BLOCKED}hta.org
- {BLOCKED}sfish.com
- {BLOCKED}.earthlink.net
- {BLOCKED}7.digitalwaves.co.nz
- {BLOCKED}shell.com
- {BLOCKED}brent.com
- {BLOCKED}er.hostsila.com
- {BLOCKED}spb.ru
- {BLOCKED}k.com
- {BLOCKED}llica.com
- {BLOCKED}co.com
- {BLOCKED}tary.com
- {BLOCKED}spring.com
- {BLOCKED}udi.ru
- {BLOCKED}vators.com
- {BLOCKED}net
- {BLOCKED}net
- {BLOCKED}andex.ru
- {BLOCKED}00030d01.gslb.pphosted.com
- {BLOCKED}00030d01.gslb.pphosted.com
- {BLOCKED}mail.ru
- {BLOCKED}r.com
- {BLOCKED}hr
- {BLOCKED}ame.com.ua
- {BLOCKED}ower.no
- {BLOCKED}arkdf.com
- {BLOCKED}com
- {BLOCKED}y.com
- {BLOCKED}y.ne.jp
- {BLOCKED}msn.com.au
- {BLOCKED}net.fr
- {BLOCKED}net.ne.jp
- {BLOCKED}lobus-telecom.com
- {BLOCKED}thost.ru
- {BLOCKED}ail.ru
- {BLOCKED}xname.org
- {BLOCKED}3-seo.com
- {BLOCKED}hc.ru
- {BLOCKED}infobox.org
- {BLOCKED}layer42.net
- {BLOCKED}nocsu.com
- {BLOCKED}xname.org
- {BLOCKED}bluehost.com
- {BLOCKED}companies.ru
- {BLOCKED}gthost.ru
- {BLOCKED}hc.ru
- {BLOCKED}infobox.org
- {BLOCKED}nocsu.com
- {BLOCKED}xname.org
- {BLOCKED}infobox.org
- {BLOCKED}layer42.net
- {BLOCKED}nic.ru
- {BLOCKED}infobox.org
- {BLOCKED}mail.ru
- {BLOCKED}nic.ru
- {BLOCKED}mail.ru
- {BLOCKED}prohosting.com.ua
- {BLOCKED}ukrdns.biz
- {BLOCKED}.1and1.com
- {BLOCKED}.1and1.com
- {BLOCKED}ukrdns.biz
- {BLOCKED}nic.ru
- {BLOCKED}el.net
- {BLOCKED}l
- {BLOCKED}and.edu
- {BLOCKED}on.kiev.ua
- {BLOCKED}ox.com
- {BLOCKED}com
- {BLOCKED}es
- {BLOCKED}nline.com
- {BLOCKED}m.ctmail.com
- {BLOCKED}ora.be
- {BLOCKED}otcay.como.bz
- {BLOCKED}agen.se
- {BLOCKED}com
- {BLOCKED}ovsky-prichal.ru
- {BLOCKED}.livedoor.com
- {BLOCKED}et.nl
- {BLOCKED}tar.com
- {BLOCKED}en.se
- {BLOCKED}mkinmitsubishi.com
- {BLOCKED}usonline.com.au
- {BLOCKED}tools.lt
- {BLOCKED}net.net
- {BLOCKED}net.net.localdomain
- {BLOCKED}tar.com
- {BLOCKED}ffmail.com
- {BLOCKED}ands.edu
- {BLOCKED}tec.com
- {BLOCKED}sal.com
- {BLOCKED}runner.com
- {BLOCKED}rs.com
- {BLOCKED}ee.com
- {BLOCKED}ru
- {BLOCKED}.nnov.transneft.ru
- {BLOCKED}adio.krsn.ru
- {BLOCKED}pole.com
- {BLOCKED}ina.com
- {BLOCKED}a.uk.com
- {BLOCKED}mobi.ru
- {BLOCKED}il.ua
- {BLOCKED}ua.ru
- {BLOCKED}ra.org
- {BLOCKED}iegoinsider.com
- {BLOCKED}y.ru
- {BLOCKED}n.com
- {BLOCKED}om
- {BLOCKED}63.ru
- {BLOCKED}e.com
- {BLOCKED}lobal.com
- {BLOCKED}use.ru
- {BLOCKED}k.ru
- {BLOCKED}t.ru
- {BLOCKED}.kp.org
- {BLOCKED}p.javagame.ru
- {BLOCKED}efer.ru
- {BLOCKED}ater.jg.ru
- {BLOCKED}olboy.com.ua
- {BLOCKED}olofaccounting.com
- {BLOCKED}ols.com
- {BLOCKED}olsafinat.ru
- {BLOCKED}oltask.ru
- {BLOCKED}olvl.ru
- {BLOCKED}ster.ru
- {BLOCKED}pt-php.ru
- {BLOCKED}letown.net
- {BLOCKED}tories.com
- {BLOCKED}am.cz
- {BLOCKED}.kyiv-city.gov.ua
- {BLOCKED}ru
- {BLOCKED}s-shop.com.ua
- {BLOCKED}.com
- {BLOCKED}con.ru
- {BLOCKED}ne.arhn.rgs.ru
- {BLOCKED}lygame.ru
- {BLOCKED}et.be
- {BLOCKED}a.diskom.brest.by
- {BLOCKED}e.hostsila.net
- {BLOCKED}plus.ru
- {BLOCKED}.live.com
- {BLOCKED}.ufa.ru
- {BLOCKED}o.com.ua
- {BLOCKED}aschita.ru
- {BLOCKED}ver.ru
- {BLOCKED}ngsips.com
- {BLOCKED}mputing.com
- {BLOCKED}les.com
- {BLOCKED}gate.net
- {BLOCKED}nie.com.pl
- {BLOCKED}bel.com
- {BLOCKED}tar.com
- {BLOCKED}abay.com
- {BLOCKED}it.varmail.com
- {BLOCKED}arus.uwa.edu.au
- {BLOCKED}orandfrancis.com
- {BLOCKED}a
- {BLOCKED}com
- {BLOCKED}72.ru
- {BLOCKED}ett.com
- {BLOCKED}pac.pt
- {BLOCKED}meimcute.com
- {BLOCKED}s.net
- {BLOCKED}a.es
- {BLOCKED}lotus.ru
- {BLOCKED}wild-west.com
- {BLOCKED}becedarian.com
- {BLOCKED}ali.it
- {BLOCKED}n.ru
- {BLOCKED}p.org
- {BLOCKED}to.com
- {BLOCKED}ar.ru
- {BLOCKED}cis.syr.edu
- {BLOCKED}k-shina.ru
- {BLOCKED}lband.ru
- {BLOCKED}nbrain.ru
- {BLOCKED}a-da.ru
- {BLOCKED}hu
- {BLOCKED}y.rr.com
- {BLOCKED}rknott.com
- {BLOCKED}rtsmith.edu
- {BLOCKED}net
- {BLOCKED}e
- {BLOCKED}com.br
- {BLOCKED}touch.com
- {BLOCKED}st.com
- {BLOCKED}.edu
- {BLOCKED}out.edu
- {BLOCKED}ine.com
- {BLOCKED}zonwireless.com
- {BLOCKED}oye.ru
- {BLOCKED}spb.ru
- {BLOCKED}or.ru
- {BLOCKED}tudio.ru
- {BLOCKED}ru
- {BLOCKED}us.transneft.ru
- {BLOCKED}ol.ru
- {BLOCKED}nye-recepty.ru
- {BLOCKED}im.rosbank.ru
- {BLOCKED}l.medispb.ru
- {BLOCKED}com
- {BLOCKED}fone.com
- {BLOCKED}com
- {BLOCKED}y.cz
- {BLOCKED}acafoundry.com
- {BLOCKED}breadhotels.com
- {BLOCKED}ursmith.com
- {BLOCKED}mail.com
- {BLOCKED}iams.edu
- {BLOCKED}stream.net
- {BLOCKED}d-net.co.nz
- {BLOCKED}donline.co.uk
- {BLOCKED}aol.com
- {BLOCKED}download.windowsupdate.com
- {BLOCKED}sc-os.ru
- {BLOCKED}tehopt.ru
- {BLOCKED}.ru
- {BLOCKED}.ru
- {BLOCKED}.co.nz
- {BLOCKED}cker.ru
- {BLOCKED}o.com.au
- {BLOCKED}o.dk
- {BLOCKED}tcement.ru
- {BLOCKED}andnet.nl
- {BLOCKED}co.uk
- {BLOCKED}ow.ru
It attempts to access the following websites to download files, which are possibly malicious:
- http://{BLOCKED}town.net/components/com_user/views/data/Core777.exe