[Malware Review] The new member of the Cutwail dinasty

Once the Trojan is successfully run on the system, it would create copies of itself in the %SYSTEMROOT%System32 and %HOMEPATH%%USERNAME% folders, called reader_s.exe. It would also add itself to the list of programs executed at each Windows startup and would deploy additional components to allow a remote attacker access to the infected machine.

The backdoor component in Trojan.Cutwail.Z also allows it to be automatically upgraded by its “master” from a remote location over the Internet. The Cutwail family is extremely prolific and each new variant of the Trojan includes additional features.

The Cutwail family, also known as Pushdo, is responsible for one of the largest active botnets. The total amount of “zombified” systems is impressive – they are used primarily for sending spam messages, but Cutwail is more than that. Other variants of the Trojan would even download third-party malicious files and install them on the already-infected machine.

Given the fact that Cutwail infections are extremely difficult to spot (the only visible symptom is increased Internet activity), you are advised to regularly scan your system with a freshly updated
antimalware solution.

Information in this article is available courtesy of BitDefender virus researcher Marius Vanta.