BitDefender weekly review

This week we stumbled across a new version of the Cutwail botnet (also known as Pandex or Pushdo). We've takes the liberty to analyze its main components and see what makes it tick, because it's the second largest spam-bot on the planet, which means it has to be interesting.


Yet another JavaScript that is used to exploit one of the Adobe Reader and Acrobat code execution vulnerabilities described in detail here: CVE-2008-2992. If the malicious PDF file is executed, the JavaScript inside it will do the following:

– decrypt

its encrypted body (first phase), responsible for injecting the shell-code at a specific address into the attacked process.

– Place
several NOP (No Operation) instructions at the begging of that code to make sure execution of the shell-code starts at the beginning.

The shell-code (~450 B) will first decrypt the rest of the code (second phase), make sure certain API functions are available to it, then attempt a download for an executable file located at http://netcorb[removed]/load.php which will be saved under the current folder with the name “~.exe”. If the download is successful, the script will launch the executable.


This Trojan is a versions of the Cutwail (Pushdo/Pandex) Trojan that forms the second largest spam BotNet on the planet – sending proximately 7.7 billion emails per day.

When first executed, the main installer (which is actually nothing but a downloader) unpacks itself in memory. It then makes a copy of the original *.exe into %userprofile%%username%.exe
and registers it to start at every system startup, then deletes the original file.

In order to protect itself, it will continuously launch, do its job, then exit. This makes it almost impossible to kill because of the rapidly changing process identifier.

Its main purpose is to download the other two components of the Trojan: the rootkit dropper and the spammer.

If successful, it will execute the rootkit first, which was saved in %temp% under the name BN[number].tmp. This file will drop a driver inside %windir%system32drivers[name].sys where name can be any of the following: ntmd, fat16s, fat32s, pusi, gen_vok, ws2_32sik, netsik, port135sik, nicsk32, ksi32sk, systemntmi, securentm, fips32cup, ati64si, i386si, amd64si, acpi32.

Regardless of the file name, the driver creates a symbolic link to the file which is “ndis_ver2”. If the driver is already present it will update it to the latest version.

After this process, the *.tmp file will be deleted.

The driver contains another copy of the original downloader and will inject it into services.exe from kernel mode, to make removal even harder.

After the driver has been launched, the spammer component follows. It will be injected by the downloader into svchost.exe, which trnasforms the system into a spam-bot, sending hundreds of unwanted emails per day.

Information in this article is available courtesy of BitDefender virus researchers: Lutas Andrei Vlad and Balazs Biro