TROJ_CUTWAIL.YYS

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following copies of itself into the affected system and executes them:

• %User Profile%\pofemxoffofp.exe

(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)

Autostart Technique

This Trojan adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
pofemxoffofp = %User Profile%\pofemxoffofp.exe

Other Details

This Trojan connects to the following possibly malicious URL:

• {BLOCKED}auk.org
• {BLOCKED}s-sk.ca
• {BLOCKED}.com.sa
• {BLOCKED}rwin.com
• {BLOCKED}e.hu
• {BLOCKED}l.ws
• {BLOCKED}raser.com
• {BLOCKED}vari.com
• {BLOCKED}style.com
• {BLOCKED}fin.com
• {BLOCKED}s.com
• {BLOCKED}le.org
• {BLOCKED}roll.com
• {BLOCKED}zz.by
• {BLOCKED}solve.com
• {BLOCKED}rohera.pl
• {BLOCKED}ado.com
• {BLOCKED}sinst.com
• {BLOCKED}nt.com.tw
• {BLOCKED}i.com.ph
• {BLOCKED}stner.ru
• {BLOCKED}rop.net
• {BLOCKED}vinly.com
• {BLOCKED}amat.com
• {BLOCKED}asil.com
• {BLOCKED}more.com
• {BLOCKED}tlfix.com
• {BLOCKED}ben.com
• {BLOCKED}as.com
• {BLOCKED}si.org
• {BLOCKED}sinc.com
• {BLOCKED}ko.ru
• {BLOCKED}csc.com
• {BLOCKED}orden.com
• {BLOCKED}agent.com
• {BLOCKED}sma.com
• {BLOCKED}i.krsn.ru
• {BLOCKED}-edit.fr
• {BLOCKED}team.com
• {BLOCKED}pb.com
• {BLOCKED}group.com
• {BLOCKED}odown.com
• {BLOCKED}chie.com
• {BLOCKED}wl.org
• {BLOCKED}lad.pl
• {BLOCKED}tonir.com
• {BLOCKED}vo.com
• {BLOCKED}koviny.cz
• {BLOCKED}-jog.net
• {BLOCKED}gybag.org
• {BLOCKED}ears.com
• {BLOCKED}ops.net
• {BLOCKED}d.de
• {BLOCKED}g-eng.com
• {BLOCKED}.cz
• {BLOCKED}sset.net
• {BLOCKED}ami.net
• {BLOCKED}uita.net
• {BLOCKED}ogen.com
• {BLOCKED}-i.com
• {BLOCKED}.com.au
• {BLOCKED}oke.net
• {BLOCKED}ymca.org
• {BLOCKED}a-ews.com
• {BLOCKED}opis.com
• {BLOCKED}ra.com.pl
• {BLOCKED}bin.net
• {BLOCKED}tknox.bm
• {BLOCKED}dat.com
• {BLOCKED}m30ty.com
• {BLOCKED}hat.com
• {BLOCKED}obile.com
• {BLOCKED}deo.com
• {BLOCKED}fg.com
• {BLOCKED}-jp.com
• {BLOCKED}s.com
• {BLOCKED}cl.com
• {BLOCKED}pedit.org
• {BLOCKED}awcc.com
• {BLOCKED}arat.com
• {BLOCKED}rozo.ru
• {BLOCKED}t-l.com
• {BLOCKED}gh-me.com
• {BLOCKED}aker.net
• {BLOCKED}matt.com
• {BLOCKED}uels.com
• {BLOCKED}c.org
• {BLOCKED}.pt
• {BLOCKED}p-ai.com
• {BLOCKED}t.do
• {BLOCKED}mx.net
• {BLOCKED}bikes.com
• {BLOCKED}-host.com
• {BLOCKED}roi.com
• {BLOCKED}snet.com
• {BLOCKED}lani.com
• {BLOCKED}otech.pl
• {BLOCKED}ictus.pl
• {BLOCKED}nytu.net
• {BLOCKED}m.org
• {BLOCKED}ian.com
• {BLOCKED}.at
• {BLOCKED}nlyon.org
• {BLOCKED}ps.com
• {BLOCKED}o-gr.ch
• {BLOCKED}ikko.com
• {BLOCKED}rel.com
• {BLOCKED}lman.net
• {BLOCKED}ptal.at
• {BLOCKED}ila.fr
• {BLOCKED}my.com.pl
• {BLOCKED}ram.com
• {BLOCKED}oaiba.com
• {BLOCKED}o-web.com
• {BLOCKED}yt.net
• {BLOCKED}lmail.com
• {BLOCKED}ie.com
• {BLOCKED}1.net
• {BLOCKED}nergo.ru
• {BLOCKED}aden.com
• {BLOCKED}savto.ru
• {BLOCKED}tnara.com
• {BLOCKED}pc.com
• {BLOCKED}angds.com
• {BLOCKED}ac.co.uk
• {BLOCKED}tel.co.jp
• {BLOCKED}er.com
• {BLOCKED}ea.cz
• {BLOCKED}omemo.com
• {BLOCKED}o.net
• {BLOCKED}jek.com
• {BLOCKED}europe.nl
• {BLOCKED}hiana.org
• {BLOCKED}ap.com
• {BLOCKED}ash3.com
• {BLOCKED}ihan.com
• {BLOCKED}snue.com
• {BLOCKED}cpas.com
• {BLOCKED}-gr.com
• {BLOCKED}dopp.net
• {BLOCKED}-lock.com
• {BLOCKED}tip.hu
• {BLOCKED}china.com
• {BLOCKED}ewis.com
• {BLOCKED}.de
• {BLOCKED}ono.net
• {BLOCKED}s.co.uk
• {BLOCKED}tle.pl
• {BLOCKED}tlinx.org
• {BLOCKED}v.bas.bg
• {BLOCKED}.co.jp
• {BLOCKED}lesse.be
• {BLOCKED}aoig.org
• {BLOCKED}is.ru
• {BLOCKED}i.com
• {BLOCKED}hat.com
• {BLOCKED}.edu.au
• {BLOCKED}th.ca
• {BLOCKED}8ya.com
• {BLOCKED}shimo.com
• {BLOCKED}cda.com
• {BLOCKED}kranj.com
• {BLOCKED}itgas.com
• {BLOCKED}ir.org
• {BLOCKED}aski.org
• {BLOCKED}j.net
• {BLOCKED}yuncu.com
• {BLOCKED}lys.co.uk
• {BLOCKED}inet.net
• {BLOCKED}s.com
• {BLOCKED}tex.com
• {BLOCKED}cton.com
• {BLOCKED}ske.ua
• {BLOCKED}prime.com
• {BLOCKED}book.com
• {BLOCKED}toccd.org
• {BLOCKED}-fa.com
• {BLOCKED}pich.de
• {BLOCKED}t.se
• {BLOCKED}giga.com
• {BLOCKED}intl.org
• {BLOCKED}roar.com
• {BLOCKED}oldia.net
• {BLOCKED}n.org
• {BLOCKED}ngg.com
• {BLOCKED}wer.de
• {BLOCKED}oron.com
• {BLOCKED}asey.com
• {BLOCKED}ee.com
• {BLOCKED}.com
• {BLOCKED}tv.ro
• {BLOCKED}fotek.net
• {BLOCKED}ntel.com
• {BLOCKED}p.org.uk
• {BLOCKED}uk.com
• {BLOCKED}.home.pl
• {BLOCKED}nks.co.uk
• {BLOCKED}nhgts.net
• {BLOCKED}sfit.com
• {BLOCKED}ner.com
• {BLOCKED}ttas.com
• {BLOCKED}eeble.com
• {BLOCKED}tm.ru
• {BLOCKED}epath.com
• {BLOCKED}etar.com
• {BLOCKED}ngann.com
• {BLOCKED}mw.com
• {BLOCKED}m.ru
• {BLOCKED}pearl.com
• {BLOCKED}dsport.ru
• {BLOCKED}wer.it
• {BLOCKED}tko.net
• {BLOCKED}.it
• {BLOCKED}tizer.com
• {BLOCKED}uwan.net
• {BLOCKED}eikan.com
• {BLOCKED}.ch
• {BLOCKED}pllc.com
• {BLOCKED}ould.com
• {BLOCKED}rust.jp
• {BLOCKED}bles.net
• {BLOCKED}lugus.nl
• {BLOCKED}oa.com
• {BLOCKED}mark.org
• {BLOCKED}essen.net
• {BLOCKED}1oil.com
• {BLOCKED}chfam.ca
• {BLOCKED}ndo.net
• {BLOCKED}zhin.com
• {BLOCKED}a.edu.ag
• {BLOCKED}ibax.org
• {BLOCKED}or.am
• {BLOCKED}cus.jp
• {BLOCKED}vi.it
• {BLOCKED}dig.com
• {BLOCKED}er.com
• {BLOCKED}selit.com
• {BLOCKED}herty.com
• {BLOCKED}india.com
• {BLOCKED}astay.com
• {BLOCKED}paris.com
• {BLOCKED}teknik.dk
• {BLOCKED}oa.com
• {BLOCKED}tapc.net
• {BLOCKED}-york.com
• {BLOCKED}avant.com
• {BLOCKED}band.com
• {BLOCKED}sy.com
• {BLOCKED}ways.com
• {BLOCKED}lsub.com
• {BLOCKED}t.org
• {BLOCKED}ffkran.de
• {BLOCKED}kplus.hu
• {BLOCKED}-net.de
• {BLOCKED}.com
• {BLOCKED}hui.net
• {BLOCKED}i.com
• {BLOCKED}t.org
• {BLOCKED}uma.com
• {BLOCKED}ll.com
• {BLOCKED}p15.net
• {BLOCKED}uksut.com
• {BLOCKED}armot.net
• {BLOCKED}seil.com
• {BLOCKED}raha.cz
• {BLOCKED}west.com
• {BLOCKED}cals.net
• {BLOCKED}888.com
• {BLOCKED}an.com
• {BLOCKED}ospel.com
• {BLOCKED}omani.com
• {BLOCKED}.org.eg
• {BLOCKED}blast.com
• {BLOCKED}aloc.com
• {BLOCKED}min.com
• {BLOCKED}esa.net
• {BLOCKED}entist.ro
• {BLOCKED}tz.com.br
• {BLOCKED}latex.com
• {BLOCKED}los-sa.gr
• {BLOCKED}eniz.nl
• {BLOCKED}.co.id
• {BLOCKED}xpope.biz
• {BLOCKED}minox.es
• {BLOCKED}a-tc.si
• {BLOCKED}le.com
• {BLOCKED}rifor.com
• {BLOCKED}c.at
• {BLOCKED}uran.com
• {BLOCKED}ework.com
• {BLOCKED}eph.org
• {BLOCKED}-s.net
• {BLOCKED}nko.net
• {BLOCKED}otex.com
• {BLOCKED}ax.com
• {BLOCKED}wines.com
• {BLOCKED}c.org.au
• {BLOCKED}ideum.com
• {BLOCKED}shun.com
• {BLOCKED}-lit.com