Win32 cutwail in memory.dmp file

Avast caught Win32 cutwail-t in a memory.dmp file from a recent BSOD. Earlier, it found JS:Seeker-gen in a older memory.dmp and there was no way to confirm because they were to large. about 3.5 gigs each. now here’s what scares me about cutwail, taken from threatexpert:

Virus.Virut.na [PC Tools] 1
Virus.Win32.Sality.aa [Kaspersky Lab] 1
Virus.Win32.Virut.bx [Kaspersky Lab] 1
Virus.Win32.Virut.n [Kaspersky Lab] 1
Virus.Win32.Virut.q [Kaspersky Lab] 1
Virus:Win32/Sality.AM [Microsoft] 1
Virus:Win32/Virut.AK [Microsoft] 1
Virus:Win32/Virut.AP [Microsoft] 1
Virus:Win32/Virut.AU [Microsoft] 1
W32.Sality.AE [Symantec] 1
W32.Virut.B [Symantec] 1
W32.Virut.U [Symantec] 1
W32.Virut.W [Symantec] 1
W32/Sality-AM [Sophos] 1
W32/Virut.j [McAfee] 1
W32/Virut-Gen [Sophos] 1
Win32.Virut.Gen.5 [PC Tools] 1
Win32/Virut.D [AhnLab] 1
Win32/Virut.Gen [AhnLab]

These are the other ways cutwail are identified as. I pray for an FP, though I deleted the file anyway. Anyway to make sure computer isnt infected?

The memory.dmp file is created when your system crashes it contains what is in memory at the time of the crash, which could have contained malware. It could be as large as your memory so may not be allowed to send to the chest without changing the settings.

If you have the tools and experience you can examine this file to help discover why the crash happened, if you don’t have this experience and tools, it is worthless to you. The older the file is the less worth it is also.

If windows were to crash again then it would create a new memory.dmp file if one wasn’t present or replace any existing one. So there really is no downside to deleting this memory.dmp file.

So given these recent BSODs and something being found in the memory.dmp it would be advisable to see if there is anything hidden/undetected on your system that might be injecting this into memory (though avast should alert on loading into memory).

If you haven’t already got this software (freeware), download, install, update and run it and report the findings (it should product a log file).

Don’t worry about reported tracking cookies they are a minor issue and not one of security, allow SAS to deal with them though. - See http://en.wikipedia.org/wiki/HTTP_cookie.

I both already, which i scanned memory.dmp with them, both negative. what about rootrepeal? I heard that’s good. But for now I will run MBAM and SAS

By default SAS wouldn’t scan it as it is over 4MB and I don’t know what default sizes apply to MBAM.

RootRepeal is good at what it does anti-rootkit detection, and the memory.dmp file would have nothing to do with any rootkit infection unless that caused a system crash and even then memory.dmp is the messenger rather than the culprit.

None of the aliases for cutwail (a mass email trojan) appear to be directly rootkit related, though some may be protected by rootkit, see below.

Rootkit Functionality

Cutwail’s rootkit functionality appears to prevent registry modifications from being detected by security and monitor programs. It may also monitor a list of running processes. Most variants also hide files and registry entries associated with Cutwail.]Rootkit Functionality

Cutwail’s rootkit functionality appears to prevent registry modifications from being detected by security and monitor programs. It may also monitor a list of running processes. Most variants also hide files and registry entries associated with Cutwail.

Bearing that in mind I would still expect MBAM/SAS to find something in the registry, which as you say they didn’t.

So it wouldn’t hurt to run rootrepeal, though I’m not familiar with its log.

I will join MBAM’s forum since they made rootrepeal.

That’s probably best, let us know how it gets on.