| Aliases: | Trojan.Win32.Rabbit.jq (Kaspersky), TrojanDownloader:Win32/Cutwail.AI (Microsoft), Troj/Agent-KJH (Sophos) |
| Type of infiltration: | Trojan |
| Size: | 58369 B |
| Affected platforms: | Microsoft Windows |
| Signature database version: | 4091 (20090520) |
|
Short description
The trojan tries to download several files from the Internet. The files are then executed.
Installation
When executed, the trojan copies itself into the following location:
- %userprofile%\%username%.exe
In order to be executed on every system start, the trojan sets the following Registry entry:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Run]
"%username%" = "%userprofile%\%username%.exe"
Other information
The trojan creates and runs a new thread with its own program code within one of the running processes.
The trojan contains a list of (9) URLs. It tries to download several files from the addresses.
These are stored in the following locations:
A string with variable content is used instead of %variable% .
The downloaded files contain encrypted executables. After decryption, the trojan runs these files.
The trojan launches the following processes:
- netsh.exe firewall set allowedprogram %filepath% ENABLE
The performed command creates an exception in the Windows Firewall.
