4 Replies Latest reply on Nov 5, 2009 1:54 PM by secured2k

    W32/Cutwail.a!rootkit

      Anyone see this?  Actual product from VirusScan.

       

      Actual threat names: W32/Cutwail.a!rootkit

      Affected Object: C:\WINDOWS\System32\drivers\ndis.sys

        • 1. Re: W32/Cutwail.a!rootkit
          Peter M

          Moved to Malware Discussion.

           

          What makes you think it's a  McAfee product?   It's well documented in the web as an infection.

           

          Are you seeking help with removal or just pointing it out?

          • 2. Re: W32/Cutwail.a!rootkit

            My McAfee AV detected this and has been removed.

             

            ePolicy Orchestrator Notification

            Rule: Virus Detected and Removed

            Rule Defined At: Directory

            Description: Notifications sends an e-mail message when "Virus Detected and Removed" events are received.

             

            Number of events: 1

            Actual threat names: W32/Cutwail.a!rootkit

             

            Actual products: VirusScan

             

            Affected Computer IP:

             

            Affected Computer Name:

             

            Affected Object: C:\WINDOWS\System32\drivers\ndis.sys

             

            Source computer IP addresses: Not Available

             

             

            For additional information, see the Notification Log in the ePolicy Orchestrator console.

            • 3. Re: W32/Cutwail.a!rootkit
              Peter M

              We deal only with home products here and the home/home office type of setup.   You'll have to post in Business I think but let me check.

              • 4. Re: W32/Cutwail.a!rootkit
                secured2k

                This is an old rootkit virus that requires the NDIS.SYS file to replaced from a known clean backup while not running Windows. This means using a Boot CD or a "Scheduling a delayed file operation."