Trojan.dropper.cutwail.b - Description And Cleaning Instruction
Hello,
Four days ago, Bitdefender has detected a threat in the computer of one of my clients:
C:\WINDOWS\system32\WLCtrl32.dll infected with Trojan.Dropper.Cutwail.B .
Trojan.Dropper.Cutwail.B has no description on Bitdefender Virus Enciclopedia.
The infected file (WLCtrl32.dll) cannot be deleded using plain method ( running safe mode, etc..).
Also, after the deleting of WLCtrl32.dll using Windows Recovery Console, after restart, the file reappears in the same location (C:\WINDOWS\system32\WLCtrl32.dll).
I have submited in the same day a ticket to bitdefender support with infected file and scanlog.
I have waited three days a solution from tehnical support in response to my ticket, and then i decided to explore myself the issue.
Here are my conclusions (maybe someone else have same issue and search for a solution) :
_______
Trojan.Dropper.Cutwail.B
1. SYMPTOMS:
1.1 Existence of
%system%\wlctrl32.dll
with the following value in your registry :
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wlctrl32
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wlctrl32 asynchronous
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wlctrl32 dllname
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wlctrl32 impersonate
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wlctrl32 startshell
1.2 Apperance of:
%system%\drivers\random_name.sys ( UNDETECTED AS THREAT BY BITDEFENDER!!!)
- random_name have the format: <capital letter><two lowercase letters><two digits>
- in my case random_name.sys was Oua40.sys
with the following value in your registry :
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\random_name.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\random_name.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_random_name
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\random_name
note:
- %system% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.
__________
2. MANUAL REMOVAL:
Solution:
2.1. ( for Windows XP) disable System Restore (use the manual method from http://support.microsoft.com/kb/310405 )
2.2. Deleting files:
Restarts the system using the Windows Recovery Console (you can see a tutorial here: http://forum.bitdefender.com/index.php?showtopic=1054 )
- In the input box, type
del %System%\WLCtrl32.dll
and then press Enter
- In the input box, type
del %System%\drivers\random_name.sys
and then press Enter
- Type Exit and then press Enter in order to restart the system normally.
note:
- %system% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or
C:\Windows\System32 on Windows XP and Server 2003.
- random_name.sys is the generic name from above point 1.2
2.3. Deleting registry entries added by this trojan:
Click Start>Run, type REGEDIT, then press Enter.
Detete the keys:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows NT>CurrentVersion>Winlogon>Notify>WLCtrl32.dll
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\random_name.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\random_name.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\random_name
Close Registry Editor.
note:
- random_name.sys is the generic name from above point 1.2
2.4. Restart Windows and then enable System Restore ( see point 2.1)
