Content
Cutwail.gen.o
- Type
- Trojan
- SubType
- Win32
- Discovery Date
- 02/01/2010
- Length
- Varies
- Minimum DAT
- 5881 (02/03/2010)
- Updated DAT
- 5881 (02/03/2010)
- Minimum Engine
- 5.3.00
- Description Added
- 02/01/2010
- Description Modified
- 02/02/2010 2:16 AM (PT)
Risk Assessment
- Corporate User
- Low-Profiled
- Home User
- Low-Profiled
Tab Navigation
Characteristics
-- Update February 2, 2010 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at: http://www.theregister.co.uk/2010/01/29/strange_ssl_web_attack/
--
When executed, this malware drops a copy of itself in the following location:
- %UserProfile%\imPlayok.exe
- %System%\imPlayok.exe
Note:
- %UserProfile% is a variable that specifies the current user's profile folder. By default, this is C:\Documents and Settings\[UserName]
- %System% is a variable that refers to the System folder. By default, this is C:\Windows\System32
The malware then creates the following registry entries to ensure its execution at system startup:
- HKEY_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Run
imPlayok = "%System%\imPlayok.exe" - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
imPlayok = "%UserProfile%\imPlayok.exe"
Symptoms
- Presence of files and registry entries mentioned
- Increase in outbound SSL connections on port 443
Method of Infection
Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial.
Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.
Removal
A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.
Variants
Variants
N/A
All Information
Overview -
This detection is for a malware, which when executed, attempts to connect to a list of predefined sites on port 443[SSL].
The characteristics of this malware with regards to file names used, sites contacted etc. could differ from variant to another. Hence, this is a general description.
Aliases
- Backdoor.Win32.HareBot.anq [Kaspersky Lab]
- Mal/Harebot-A [Sophos]
- Trojan.Pandex [Symantec]
- Trojan:Win32/Malagent [Microsoft]
Characteristics
Characteristics -
-- Update February 2, 2010 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at: http://www.theregister.co.uk/2010/01/29/strange_ssl_web_attack/
--
When executed, this malware drops a copy of itself in the following location:
- %UserProfile%\imPlayok.exe
- %System%\imPlayok.exe
Note:
- %UserProfile% is a variable that specifies the current user's profile folder. By default, this is C:\Documents and Settings\[UserName]
- %System% is a variable that refers to the System folder. By default, this is C:\Windows\System32
The malware then creates the following registry entries to ensure its execution at system startup:
- HKEY_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Run
imPlayok = "%System%\imPlayok.exe" - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
imPlayok = "%UserProfile%\imPlayok.exe"
Symptoms
Symptoms -
- Presence of files and registry entries mentioned
- Increase in outbound SSL connections on port 443
Method of Infection
Method of Infection -
Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial.
Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.
Removal -
Removal -
A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
