1.0
Introduction
2.0 Release
Package Contents
3.0 Known
issues
Damage Cleanup Template (DCT) 888 is a Pattern Release for Windows-related platforms.
New Virus
Detected:
There are [02] new virus(es) supported in this
version. The new virus(es)
are:
01. WORM_AGENT.SPS
02. WORM_DELF.JJZ
Virus Name Changed:
Old Virus
Name
New Virus Name
Virus Signature Modified:
Virus Signature
Dropped:
DCE/DCT
release components are as following:
ˇ
TSC.exe
ˇ
TSC.ptn
Requirements
This program is
designed to run on Windows 9X/NT4/ME/2000/XP and
Windows 2k3. For
this program to execute properly on Windows NT 4.0 it needs the following DLL
file:
o
PSAPI.DLL
Make sure that
this file is present in the "Winnt\system32" directory.
This program is
also designed to be used together with a Trend Micro product. The Trend
Micro products that support DCE/DCT 5.3 are:
ˇ Trend Micro Control Manager (TMCM) 3.0
ˇ Trend Micro Control Manager (TMCM) 3.5
ˇ PC-cillin 2005
ˇ PC-cillin 2006
ˇ PC-cillin 2007
ˇ PC-cillin for DELL (12.7)
ˇ PC-cillin for DELL (14.6)
ˇ Virus Buster (VB) 2005
ˇ Virus Buster (VB) 2006
ˇ OfficeScan (OSCE) 6.5 Server/Client
ˇ OfficeScan (OSCE) 7.0 Server/Client
ˇ OfficeScan (OSCE) 7.3 Server/Client
ˇ HouseClean (HC) 1.0
ˇ InterScan Gateway Security Appliance (IGSA) 1.5
ˇ Network Virus Wall (NVW) 300 device
ˇ Network Virus Wall (NVW) 1200 device
ˇ Network Virus Wall (NVW) 2500 device
ˇ Cisco Incident Control Server
ˇ Damage Cleanup System (DCS) 3.2 - Server
ˇ Damage Cleanup System (DCS) 3.2 - Client
ˇ OfficeScan (OSCE) 8.0 Server/Client
Known
Issues
1. DCE/DCT
backs up only the latest modification it has made and only restores the backups
of the latest modification.
2. DCE/DCT runs properly despite lack of disk
space. However, it will no longer be able to write to the log files and will not
be able to back up the system settings. Trend does not recommend running DCE/DCT
on a floppy disk. The size of a floppy disk may not be sufficient for the backup
files and the log files.
3. The command line or console mode
options override the INI settings.
4. On Windows 2000 and
Windows XP, cleaning INI files may have problems. Windows 2000/XP caches the
.INI files thus, in some cases, the DCE/DCT may not be able to clean the .INI
files.
5. DCE/DCT
only cleans the registry of the currently logged-on user for the
HKEY_CURRENT_USER Key.
6. DCE/DCT
cleans all WORM_KLEZ variants. However, DCE/DCT can restore WORM_KLEZ.E,
G, H, I and J infected files only if the infected files are running.
7. DCE/DCT
detects and cleans a fully-installed WORM_FRIENDGRT.B.
8. DCE/DCT
will create a subdirectory named [FLCSS.EXE] to make the system immune from
future infections of PE_FUNLOVE.4099.
This is a feature of a fixtool integrated in
DCE/DCT.
9. DCE/DCT
will not able to delete added LNK Files whose path contain %username%.<domain
name> which was dropped by the malware, TROJ_SPEEDIA.C.
10. DCE/DCT will not delete registry entries from BKDR_IROFFER.A because they are harmless and generally created by cygwin1.dll, which is a DLL use by UNIX to emulate in WINDOWS platform.
11. The DCE/DCT for MALDAL family is not capable of restoring the computer name of the infected system. DCT will temporarily solve maware but the system will not reboot properly after malware has been executed. For variants .D and .G, DCE/DCT may encounter clean fail when the file could not be deleted due to insufficient administrative rights. The .C variant disables the keyboard for Windows applications. The only way to restore keyboard functions is to restart the computer.
12. DCE/DCT will not delete random registry entries created by WORM_SPYBOT. These entries are harmless. On Windows 2000 system, some samples do not drop their associated file/s in the Windows system directory. DCE/DCT does not support this kind of behavior. However, if there are dropped files, these can be detected/cleaned by our VSAPI engine.
13.
DCE/DCT for WORM_WUKILL family will leave the valid file WINFILE.EXE running on
systems where it exists. Since this is a valid windows file, this considered as
non-malicious and won't harm the system. The user should terminate the
application manually.
14. On WinNT DCE/DCT requires that the user
should click OK on the DrWatson error for the DCE/DCT to clean WORM_SDBOT.TL
from the %systemdir%
15. During
the release of the DCT for TROJ_AGENT.EL, the URL site where it downloads a
program was already inaccessible.
16. To completely clean PE_Chir.B
DCE/DCT should be run after rebooting the system.
17. To completely
clean WORM_BOBAX.P, scan the system using the Trend Micro antivirus
product after rebooting the system.
18. DCE/DCT only detects and
removes fully-installed RTKT_XCP.A on Windows 2000, XP and Server
2003.
19. Two system reboots are required to completely clean PE_BOBAX.AL which is also dropped and executed by WORM_BOTOB.A.