The Cutwail Trojan is hiding and defending itself
Cutwail also has Trojan rootkit features, so detecting and removing it is no easy task.
A Cutwail Trojans do a lot to keep it hidden in the infected system for as long as possible. If it is detected, it will make so many changes to Windows that you may have difficulty removing it. This is because the Trojan also infects various system files in Windows and hides behind various system processes. It damages important files such as winlogon.exe.
The Trojan is able to update itself over the Internet as well as download various malware.
When the Cutwail Trojan starts, it performs the following actions:
- Create the following files in the Windows System32 or Temp directory:
[random numbers] .sys
cel90xbe.sys
restore.sys - Creates a Windows service with one of the following names:
Ip6Fw
NetDetect
Secdrv - In some cases, it copies a runtime.sys file to the C: \ drive and then loads it into memory.
- The following entries are added to the registration database:
HKLM \ SYSTEM \ CurrentControlSet \ Services \\\ untime \ Start = 0x3
HKLM \ SYSTEM \ CurrentControlSet \ Services \\\ untime \ Type = 0x1
HKLM \ SYSTEM \ CurrentControlSet \ Services \\\ untime \ ImagePath =
“\??\%Windows%\System32\drivers\\\untime.sys” - Infects the process associated with Internet Explorer.
- It tries to update itself over the internet as well as download various malicious files.
- The following entries are added to the registration database:
HKLM \ SYSTEM \ CurrentControlSet \ Services \\\ untime2 \ Start = 0x3
HKLM \ SYSTEM \ CurrentControlSet \ Services \\\ untime2 \ Type = 0x1
HKLM \ SYSTEM \ CurrentControlSet \ Services \\\ untime2 \ ErrorControl = 0x1
HKLM \ SYSTEM \ CurrentControlSet \ Services \\\ untime2 \ ImagePath =
“>\??\%Windows%\System32\drivers\\\untime2.sys” - Loads the runtime2.sys file into memory.
- Creates the following entries in the registration database:
HKLM \ SYSTEM \ CurrentControlSet \ Services \\\ untime2 \ ImagePath =
“\SystemRoot\system32\drivers\\\untime2.sys”
HKLM \ SYSTEM \ CurrentControlSet \ Services \\\ untime2 \ Type = 0x1
HKLM \ SYSTEM \ CurrentControlSet \ Services \\\ untime2 \ Start = 0x1
HKLM\SYSTEM\CurrentControlSet\Services\\\untime2\DependOnGroup = “File System”
HKLM \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Minimal \\\ untime2.sys \
(Default) = “Driver”
HKLM \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Network \\\ untime2.sys \
(Default) = “Driver”
HKLM \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run \ startdrv
= “%Windows%\Temp\startdrv.exe” - Modifies or deletes the% Windows% \ System32 \ winlogon.exe system file.
- Deletes the file named imapi.exe (if it exists).
