| Aliases: | Backdoor.Win32.Protector.a (Kaspersky), Backdoor.Trojan (Symantec), TrojanDownloader:Win32/Cutwail.gen!C (Microsoft) |
| Type of infiltration: | Trojan |
| Size: | 16384 B |
| Affected platforms: | Microsoft Windows |
| Signature database version: | 4163 (20090617) |
|
Short description
The trojan tries to download several files from the Internet. The files are then executed.
Installation
When executed the trojan copies itself in the following locations:
- %system%\reader_s.exe
- %userprofile%\reader_s.exe
In order to be executed on every system start, the trojan sets the following Registry entries:
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run]
"reader_s" = "%system%\reader_s.exe"
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Run]
"reader_s" = "%userprofile%\reader_s.exe"
The trojan creates and runs a new thread with its own program code within the following processes:
Other information
The trojan contains a list of URLs. It tries to download several files from the addresses.
These are stored in the following locations:
A string with variable content is used instead of %variable% .
The downloaded files contain encrypted executables. After decryption, the trojan runs these files.
The trojan may create and run a new thread with its own program code within any running process.
