1.0
Introduction
2.0 Release
Package Contents
3.0 Known
issue
Damage Cleanup Template (DCT) 874 is a Pattern Release for Windows related platforms.
New Virus
Detected:
There are [03] new viruses supported in this
version. The new viruses include:
01. BKDR_IRCBOT.ADS
02.
WORM_AGENT.DJI
03.
WORM_SDBOT.EFX
Virus Name Changed:
Old Virus
Name
New Virus Name
Virus Signature
Modified:
Virus Signature
Dropped:
DCE/DCT
release components are as following:
·
TSC.exe
·
TSC.ptn
Requirements
This tool is
designed to run under Windows NT/2000 and Windows 9X/ME. For this tool to
execute properly under Windows NT/2000 it needs the
following DLL
file:
o
PSAPI.DLL
Make sure that
this file is present in the "Winnt\system32" directory.
This tool is also
designed to be used together with a Trend product. The Trend products that
support DCE/DCT 3.9 are: OfficeScan 5.02, ServerProtect 5.35, PC-Cillin 2002,
and Damage Cleanup Server (DCE/DCT) 1.0.
Known
Issue
1. DCE/DCT
backs up only the latest modification it has made and only restores the backups
of the latest modification.
2. Insufficient disk space. DCE/DCT runs
properly despite the lack of disk space. However, it will not write to the log
files and will not be able to back up the system settings anymore. Trend does
not recommend running DCE/DCT on a floppy disk. The size of a floppy disk may
not suffice for the backup files and the log files.
3. The command
line or console mode options override the INI settings.
4. On Windows
2000 and Windows XP, cleaning INI files may have problems. Windows 2000/XP
caches the .INI files thus, in some cases, the DCE/DCT may not be able to clean
the .INI files.
5. DCE/DCT only cleans the registry of the currently
logged-on user for the HKEY_CURRENT_USER Key. However, it can clean the other
keys properly.
6. For WinME systems, deleted files are maintained in the
System Restorefolder due to the Restore feature of WinME. When an infected file
is deleted, the Restore folder of WinME backs up the file for future
restoration. The user must manually delete this file in the Restore folder.
Please visit this Web site for a description and more detailed information on
how to remove the contents of the _Restore folder:
http://support.microsoft.com/support/kb/articles/Q263/4/55.ASP?LN=EN-US&SD=SO&FR=0
7. DCE/DCT
cleans all WORM_KLEZ variants. However, DCE/DCT can restore WORM_KLEZ.E,
G, H, I and J infected files only if the infected files are running.
8. DCE/DCT
detects and cleans a fully installed WORM_FRIENDGRT.B.
9. DCE/DCT
Stop and Start SQLSERVER Service, if possible to stop WORM_SQL1434.A from
infecting other computers in the network.
10.
DCE/DCT will create a subdirectory named [FLCSS.EXE] to make the system immune
from future infections of PE_FUNLOVE.4099.
This is a feature of fixtool integrated in DCE/DCT.
11.
DCE/DCT will not able to delete the added LNK Files with a path containing
%username%.<domain name> which was dropped by the malware named
TROJ_SPEEDIA.C.
12. DCE/DCT will not delete registry entries from BKDR_IROFFER.A because they are harmless and generally created by cygwin1.dll, which is a DLL use by UNIX to emulate in WINDOWS platform.
13. The DCE/DCT for MALDAL family is not capable of restoring the computer name of the infected system. DCT will temporarily solve maware but the system will not reboot properly after malware has been executed. This is for variants .D and .G. May result to clean fail because file was not deleted due to insufficient administrative rights. For .C variant, malware disables keyboard for Windows applications. The only way to restore keyboard is to reset PC.
14. TROJ_SLIME.A associates itself with .EXE files. Rename TSC.EXE to TSC.COM for TROJ_SLIME.A infections.
15. DCE/DCT will not delete random registry entries created by WORM_SPYBOT. These entries are harmless. On Windows 2000 system, some samples do not drop their associated file/s in the Windows system directory. DCE/DCT does not support this kind of behavior. However, if there are dropped files, these can be detected/cleaned by our VSAPI engine.
16.
DCE/DCT for WORM_WUKILL family will leave the valid file WINFILE.EXE running on
systems where it exists. Since this is a valid windows file, this considered as
non-malicious and won't harm the system. The user should terminate the
application manually.
17. In Windows NT systems, the malware
WORM_SDBOT.FP fails to finish one of its network modules thus the NET.EXE
process (normal system file) that it uses does not terminate. Since this file is
nonmalicious, this activity poses no threat to the system. Nonetheless, if the
user desires to remove this active application, a simple system reboot will
suffice.
18. On WinNT DCE/DCT requires that the user should click OK the DrWatson error for the DCE/DCT to clean WORM_SDBOT.TL from the %systemdir%
19. During
the release of the DCT for TROJ_AGENT.EL, the URL site where it downloads a
program was already inaccessible.
20. To remove BKDR_PADODOR.H from
the system, first execute the DCT pattern from Trend Micro’s Damage Cleanup
Services. Then reboot the system.
21. To completely clean PE_Chir.B
DCE/DCT should be run after rebooting the system.
22. To completely
clean WORM_BOBAX.P, scan the system using the Trend Micro antivirus
product after rebooting the system.
23. DCE/DCT only detects and
removes fully installed RTKT_XCP.A on Windows 2000, XP and Server
2003.
24. Two system reboots are required to completely clean PE_BOBAX.AL which is also dropped and executed by WORM_BOTOB.A.