• Question

  • Can anyone help me get rid of this virus? Win32/culwail.AA  TROJAN DROPER

                                                            tHANK yOU
    Saturday, May 24, 2008 10:56 AM


All replies

  • Valcore;


    You need to provide more information (and the correct spelling.)

    I believe you mean this dropper trojan: TrojanDropper:Win32/Cutwail.AA

    Are you using Windows Live OneCare which provides you removal support?  If not what detected it?

    The Microsoft Malicious Software Removal Tool also claims to both detect and repair this Trojan family.

    Saturday, May 24, 2008 3:30 PM
  • As of December 10, 2008, the malicious software removal tool and/or OneCare cannot remove threats in this family, though OneCare incorrectly reports that it has done so.  According to users I've contacted in the OneCare forums, the same is true for at least 20 commonly reported viruses/worms.  At least one of them, Win32\Mariofev.A, has been known for over 7 months, with a very simple method of removal which, unfortunately, must be done manually or with a 3rd party tool AFTER the painful 6-hour wait for OneCare to complete a scan, report the find, and report it's been removed when it actually hasn't. 


    Microsoft will initially blame the failure on the user's failure to disable system restore or neutralize other threats that would lead to reinfection.  What's actually happening is that the necessary registry modifications and file restores (e.g. user32.dll) are not carried out as the removal tool claims they are. 


    Users of the tool are not notified of the failure and are unaware a problem remains until they run another scan.  The somewhat nonsensical response users are receiving from Microsoft is that the scanner reports success but they should be looking at the scanner's output log to determine if the threat was removed.  This log is a hidden file which resides in varying locations depending on the version of Windows, and the user is never made aware of its existance until reporting the failure.


    Since discovering and researching my own Mariofev.A infection on December 7, I have yet to hear from a single OneCare user that the tool has been able to remove any of the detected threats.  I disagree with the perception that the free tool won't do the removal in order to entice users to pay for the full version -- I am convinced that the anonymous "send this threat data to Microsoft" part of the tool is being used to collect data on threats Microsoft does not know how to counter.  As I said in the opening paragraph, this includes 20 common viruses/worms affecting users today, all which have fixes provided by companies such as Symantec.  At least one, the Mariofev.A worm, has had a known fix for over 7 months, and the Microsoft tools cannot remove it yet.


    As for the snide remark about the spelling of the poor guy who started this thread, I'd point out that it's hard to concentrate on spelling when your system is infected, that I see an error in your own response, and maybe if Microsoft concentrated on writing more secure software or a FUNCTIONAL virus scanner, there'd be no need for this nonsense in the first place.


    Wednesday, December 10, 2008 9:00 PM
  • That wasn't exactly a reference to the spelling rules of the English language, when asking the OP to clarify.  It was all about being able to find any documentation on one specific piece of malware out of hundreds of thousands:


    Win32/Cutwail: "in January 2008 we included Cutwail to MSRT.  More than 193,000 distinct machines were cleaned from Cutwail infection during the month.  Note Cutwail is a mutli-purpose threat family and only a subset of this family is spammer trojans.  These spamming variants accounted for more than 39,000 cleaned machines in January and it has stayed between 71,000 and 97,000 cleaned machines since then."                                             http://blogs.technet.com/mmpc/archive/2008/08/08/msrt-on-captcha-breaking-malware.aspx

    Thursday, December 11, 2008 7:38 PM