Release Note for Trend Micro(R) Damage Cleanup Engine/Template Damage Cleanup Engine (DCE) Version 6.2 (Build 1016), Damage Cleanup Template (DCT) 1072. Copyright (C) 2001-2009 Trend Micro Incorporated. All rights reserved. 1.0 Introduction Damage Cleanup Template (DCT) 1072 is a Pattern Release for Windows-related platforms. There are [0] new virus(es) supported in this version. The new virus(es) are: Virus Signature Modified: Virus Signature Dropped: 2.0 Release Package Contents DCE/DCT release components are as following: - TSC.exe - TSC.ptn Requirements This program is designed to run on Windows 9X/NT4/ME/2000/XP and Windows 2k3. For this program to execute properly on Windows NT 4.0 it needs the following DLL file: o PSAPI.DLL Make sure that this file is present in the "Winnt\system32" directory. This program is also designed to be used together with a Trend Micro product. The Trend Micro products that support DCE/DCT 6.0 are: ? Trend Micro Control Manager (TMCM) 3.0 ? Trend Micro Control Manager (TMCM) 3.5 ? PC-cillin 2005 ? PC-cillin 2006 ? PC-cillin 2007 ? PC-cillin for DELL (12.7) ? PC-cillin for DELL (14.6) ? Virus Buster (VB) 2005 ? Virus Buster (VB) 2006 ? OfficeScan (OSCE) 6.5 Server/Client ? OfficeScan (OSCE) 7.0 Server/Client ? OfficeScan (OSCE) 7.3 Server/Client ? HouseClean (HC) 1.0 ? InterScan Gateway Security Appliance (IGSA) 1.5 ? Network Virus Wall (NVW) 300 device ? Network Virus Wall (NVW) 1200 device ? Network Virus Wall (NVW) 2500 device ? Cisco Incident Control Server ? Damage Cleanup System (DCS) 3.2 - Server ? Damage Cleanup System (DCS) 3.2 - Client ? OfficeScan (OSCE) 8.0 Server/Client 3.0 Known issues Known Issues 1. DCE/DCT backs up only the latest modification it has made and only restores the backups of the latest modification. 2. DCE/DCT runs properly despite lack of disk space. However, it will no longer be able to write to the log files and will not be able to back up the system settings. Trend does not recommend running DCE/DCT on a floppy disk. The size of a floppy disk may not be sufficient for the backup files and the log files. 3. The command line or console mode options override the INI settings. 4. On Windows 2000 and Windows XP, cleaning INI files may have problems. Windows 2000/XP caches the .INI files thus, in some cases, the DCE/DCT may not be able to clean the .INI files. 5. DCE/DCT only cleans the registry of the currently logged-on user for the HKEY_CURRENT_USER Key. 6. DCE/DCT cleans all WORM_KLEZ variants. However, DCE/DCT can restore WORM_KLEZ.E, G, H, I and J infected files only if the infected files are running. 7. DCE/DCT detects and cleans a fully-installed WORM_FRIENDGRT.B. 8. DCE/DCT will create a subdirectory named [FLCSS.EXE] to make the system immune from future infections of PE_FUNLOVE.4099. This is a feature of a fixtool integrated in DCE/DCT. 9. DCE/DCT will not able to delete added LNK Files whose path contain %username%. which was dropped by the malware, TROJ_SPEEDIA.C. 10. DCE/DCT will not delete registry entries from BKDR_IROFFER.A because they are harmless and generally created by cygwin1.dll, which is a DLL use by UNIX to emulate in WINDOWS platform. 11. The DCE/DCT for MALDAL family is not capable of restoring the computer name of the infected system. DCT will temporarily solve maware but the system will not reboot properly after malware has been executed. For variants .D and .G, DCE/DCT may encounter clean fail when the file could not be deleted due to insufficient administrative rights. The .C variant disables the keyboard for Windows applications. The only way to restore keyboard functions is to restart the computer. 12. DCE/DCT will not delete random registry entries created by WORM_SPYBOT. These entries are harmless. On Windows 2000 system, some samples do not drop their associated file/s in the Windows system directory. DCE/DCT does not support this kind of behavior. However, if there are dropped files, these can be detected/cleaned by our VSAPI engine. 13. DCE/DCT for WORM_WUKILL family will leave the valid file WINFILE.EXE running on systems where it exists. Since this is a valid windows file, this considered as non-malicious and won't harm the system. The user should terminate the application manually. 14. On WinNT DCE/DCT requires that the user should click OK on the DrWatson error for the DCE/DCT to clean WORM_SDBOT.TL from the %systemdir% 15. During the release of the DCT for TROJ_AGENT.EL, the URL site where it downloads a program was already inaccessible. 16. To completely clean PE_Chir.B DCE/DCT should be run after rebooting the system. 17. To completely clean WORM_BOBAX.P, scan the system using the Trend Micro antivirus product after rebooting the system. 18. DCE/DCT only detects and removes fully-installed RTKT_XCP.A on Windows 2000, XP and Server 2003. 19. Two system reboots are required to completely clean PE_BOBAX.AL which is also dropped and executed by WORM_BOTOB.A. 20. DCT pattern for PE_MADANGEL.A, PE_MADANGEL.D, PE_MADANGEL.A-O, and PE_MADANGEL.D-O has no cleanup support for Windows NT platforms.