Class TrojWare

Trojans are malicious programs that perform actions which are not authorized by the user: they delete, block, modify or copy data, and they disrupt the performance of computers or computer networks. Unlike viruses and worms, the threats that fall into this category are unable to make copies of themselves or self-replicate. Trojans are classified according to the type of action they perform on an infected computer.

Description Trojan

A malicious program designed to electronically spy on the user’s activities (intercept keyboard input, take screenshots, capture a list of active applications, etc.). The collected information is sent to the cybercriminal by various means, including email, FTP, and HTTP (by sending data in a request).


Win32 is an API on Windows NT-based operating systems (Windows XP, Windows 7, etc.) that supports execution of 32-bit applications. One of the most widespread programming platforms in the world.


This malware is distributed with the help of the Pushdo downloader. It is used by cybercriminals to create botnets (groups of computers manipulated for malicious purposes, coordinated by a command and control center) and send spam from the infected computers.

Technical overview as illustrated by: Trojan.Win32.Cutwail.b

Pushdo and similar malware decrypts itself and causes destructive activity by downloading other malware (typically from theCutwail family). Pushdo is capable of embedding itself into other processes without saving itself to disk.


Once decrypted, the source file comprises two files spliced together: one is required to generate junk traffic, and the other delivers the actual payload.

Pushdo code contains a large list of hardcoded servers. It contacts these servers by sending requests of a certain format. In addition, there are two RSA keys (a public and a private key) hardcoded in the bot’s code as plain text, however they belong to different key pairs. Using the public key, a random RC4 session key is encrypted, which is used to encrypt the request to the server. The private key is used to decrypt the session key from the server’s response. The server responds to a correctly formed request with an HTML document containing an encrypted payload; otherwise, the server returns a 500 error. The payload is located around the middle of the document within angle brackets (<!– and –>.). The data between the brackets are extracted and decoded using ubase64. Then the malicious program verifies the checksum of the downloaded file and launches.


Once running, the malicious file saves itself to %SYSTEM32% or to %USERDIR% under the name regedit.exe, as well as to the startup folder. At first launch, a data packet is sent to the address hardcoded in the bot’s body at port 25 or 443. The packet includes the local IP address, lip, OS version, DNS flags, and bot version. The bot attempts to determine its external DNS address, after which this address is used to communicate with the C&C server.

After the bot receives mailing information (message body, subject line, lists of recipients and senders), it begins to send messages via SMTP.

test label