cutwail spamBOT
This is what a motherf*cker looks like.
YOU MOTHERF*CKER!! I was looking forward to an easy day after all of the stupid Conficker.C hype yesterday…but as soon as I walked into the office this morning — BAM! Users sending NDRs due to blacklisting on spamhaus. WTF?!
It’s been a hell of a day trying to isolate which computer, out of 150, you’re hiding in. I still don’t know. But I made some adjustments to the firewall and now your nefarious activities can no longer bother anyone.
Hopefully this resolves your stupidness. I mean, look at you…with your spam chest and your stupid dome head.
Now I’ve gotta keep an eye out on the spam lists…if we’re getting added to more lists, then you’re winning. If we’re being removed from lists…then I win.
…and I never lose.
hey i found u with google i have the same problem! only i have 1500 computers. what adjustments did you make? so far i just blocked port 25 for everything execpt mail server. did you do anything else to your firewall?
To resolve the issue, what eventually happened was I immediately blocked port 25 for all IP addresses EXCEPT the email server and our blackberry server. It ended up being that easy, except a rookie error on my part. When I created the rule to block port 25, I didn’t know that the infected machine had a persistent connection to port 25. When you block a port, it doesn’t kick out any offended (by offending, I mean non-email IP addresses using that port) — it just won’t allow any new ones in.
I had to look in the connections manager and I could see what IP’s were using which services. It took a few days for me to check current connections and right there was a computer that had two connections to port 25 open. I ran a tool to restart the computer remotely, yanked it’s network cable and scanned it for Cutwail using Microsoft’s Malicious Software Removal Tool. The tool only confirmed that this machine was infected with Cutwail. Once I got the confirmation, I used MalwareBytes AntiMalware to remove the infection. The MalwareBytes AntiMalware is a free trial…so, I didn’t need to pay to use it. Also, Microsoft’s Malicious Software Removal Tool is a free download.
I too have a “Cutwail” problem……..
I’m probably betraying my ignorance but…what is the “Connections Manager”? and where do I get it?
Connections Manager is just an arbitrary name that my firewall uses to see what is currently connected to the firewall and using which ports. I believe that most firewalls will have some form of this. I could see through this portion of the firewall that a desktop had a connection open on port 25 — which it shouldn’t have had. That’s how I was able to detect which computer on the network was infected.
Good luck to you and if I can offer any other assistance, please ask.
We were blacklisted by CBL and others. The message on CBL was that we were infected by cutwail spamBOT.
After an intensive weekend spent with scanning pc’s and systems without success, we found out, that our exchange server was abused as spam server by sending non delivery reports (NDR) messages to faked senders.
Disabling NDR solved the problem.
Disable NDR:
From Exchange System Manager, Global Settings, Internet Message Format.
Double click on your right. Advanced tab. Uncheck Allow
non-delivery reports.
You must also activate the setting on the smtp connection protocol: Exchange Server, Protocols, Virtual Default Server => Properties by left click.
In the popup: General, Click on listed item, click on the button ‘modify’.
In the popup: Check “Absendungskennungsfilter verwenden” on the top right (Sorry, I’ve only an german Exchange, must be translated similar to ‘use sender identification filter’)
[...] experiencing a major IT Problem, one computer on the network have most likely been infected by a spamBOT – and are being blacklisted on the relevant spam [...]
I had the cutwail trojan sending spam.
Our internet provider blocked outgoing email over smtp port 25 until resolved.
Our CA etrust pestpatrol didnt pick it up at first!
What worked for me was to add a firewall rule to block all outgoing smtp trafic on port 25 and have it log all connection attempts.
Viewed the logs(ruling out my email server/s ip to start) and the offending ip was obvious as the hits were 100’s per minute.
match the ip to a computer by checking DHCP allocations.
Scan the offending ip/PC with the latest MRT (Microsoft Malicious Software Removal Tool)and disconnect it from the network until clean.
Re enable SMPT traffic on the firewall after double checking the logs for other possible spaming.
Happy Hunting
I just looked for the computer with the background stating that “I AM AT RISK!” with binary background.
Hi,
I am experiencing a similar issue, cant send out emails on our domain. I blocked the NDRs on exchange, but am using 2007 and I have ticked the box. Is there anything else I need to do?
Also, not sure about blocking port 25 and only allowing the mailserver and blackberry server through sbs2008 firewall.
We have 40 PCs on the network, and I have ran Trend AV, and malwarebytes on all pcs, yet am still getting blocked
Anyone have any ideas?
Thanks
The best thing to do is to block port 25 except for your mail server. Your PCs don’t need to access port 25, except for a spambot to send out mail. Doing this eliminates 95% of the problems that’s associated with spambots.
If you’re sure the spambot is gone, the blacklists will eventually automatically remove you from the lists. If you know which lists you’re on…you can go and manually petition each one to remove you now.
The problem with this, once you get removed and you HAVEN’T removed the issue, then they’ll put you back on the list and it’ll be harder to take yourself off of them.
The program that I found worked best to remove the cutWAIL spambot was actually the Windows Malicious Code remover. It’s a free download from Microsoft’s website…and it found the CutWail spambot and removed it easily.
Best of Luck, George!
Thanks Trizz,
I managed to set up a rule on the sbs2008 server to block port 25 except for the mail server. I think it would be good to block it on the NETGEAR ProSafe VPN Wireless ADSL Gateway DGFV338 as we are using this router as the firewall, but not sure how you can make exceptions whilst creating the rules.
Where can I locate the Windows Malicious code remover, can I manually save it and then run from sbs2008 server? My security settings dont allow me to download.
Thanks,
George
Hi, thanks for this article.
Today we have been blocked by spamhaus cbl. The culprit is cutwail spambot.
Please forgive my question lol.
How do I block the port 25 for everything except the exchange server. Is this done on our cisco router?
Im using Cisco SDM to connect to the routers configuration.
Many thanks in advance for any help.
George,
I don’t know if this will help you out or not, but we’re trying this site right now. Microsoft says it should catch and remove Cutwail. Hopefully it works and will be of some assistance.
http://onecare.live.com/site/en-US/center/howsafe.htm?s_cid=mscom_msrt
Hi Laura,
We seem to have gotten rid of the pest!
We blocked port 25 on all PCs except the mail server, and Trend AV, Malwarebytes and Windows Malicious Removal tool seem to have done the trick. I have also disabled all NDR’s and havent been blacklisted for over a week now!
Thanks,
George