1.0
Introduction
2.0 Release Package
Contents
3.0 Known issue
Damage Cleanup Template (DCT) 788 is a Pattern Release for Windows related platforms.
New Virus Detected:
There are [04] new viruses supported in this version. The new viruses
include:
01. TROJ_DLOADER.EHJ
02. WORM_STRATION.FO
03. WORM_STRATION.FP
04. WORM_STRATION.GH
Virus Name Changed:
Old Virus Name New Virus Name
Virus Signature Modified:
Virus Signature Dropped:
01. WORM_SDBOT.AGH
DCE/DCT release components are as following:
·
TSC.exe
·
TSC.ptn
Requirements
This tool is designed to run under Windows NT/2000 and Windows
9X/ME. For this tool to execute properly under Windows NT/2000 it needs
the
following DLL file:
o PSAPI.DLL
Make sure that this file is present in the "Winnt\system32"
directory.
This tool is also designed to be used together with a Trend product. The
Trend products that support DCE/DCT 3.9 are: OfficeScan 5.02, ServerProtect 5.35,
PC-Cillin 2002, and Damage Cleanup Server (DCE/DCT) 1.0.
Known Issue
1. DCE/DCT backs
up only the latest modification it has made and only restores the backups of
the latest modification.
2. Insufficient disk space. DCE/DCT runs properly despite the lack of disk space.
However, it will not write to the log files and will not be able to back up the
system settings anymore. Trend does not recommend running DCE/DCT on a floppy disk.
The size of a floppy disk may not suffice for the backup files and the log
files.
3. The command line or console mode options override the INI settings.
4. On Windows 2000 and Windows XP, cleaning INI files may have problems.
Windows 2000/XP caches the .INI files thus, in some cases, the DCE/DCT may not be
able to clean the .INI files.
5. DCE/DCT only cleans the registry of the currently logged-on user for the
HKEY_CURRENT_USER Key. However, it can clean the other keys properly.
6. For WinME systems, deleted files are maintained in the System Restorefolder
due to the Restore feature of WinME. When an infected file is deleted, the
Restore folder of WinME backs up the file for future restoration. The user must
manually delete this file in the Restore folder. Please visit this Web site for
a description and more detailed information on how to remove the contents of
the _Restore folder:
http://support.microsoft.com/support/kb/articles/Q263/4/55.ASP?LN=EN-US&SD=SO&FR=0
7. DCE/DCT cleans
all WORM_KLEZ variants. However, DCE/DCT can restore WORM_KLEZ.E, G, H, I and
J infected files only if the infected files are running.
8. DCE/DCT detects
and cleans a fully installed WORM_FRIENDGRT.B.
9. DCE/DCT Stop
and Start SQLSERVER Service, if possible to stop WORM_SQL1434.A from infecting
other computers in the network.
10. DCE/DCT will create
a subdirectory named [FLCSS.EXE] to make the system immune from future
infections of PE_FUNLOVE.4099. This is
a feature of fixtool integrated in DCE/DCT.
11. DCE/DCT will
not able to delete the added LNK Files with a path containing
%username%.<domain name> which was dropped by the malware named
TROJ_SPEEDIA.C.
12. DCE/DCT will not delete registry entries from BKDR_IROFFER.A because they are harmless and generally created by cygwin1.dll, which is a DLL use by UNIX to emulate in WINDOWS platform.
13. The DCE/DCT for MALDAL family is not capable of restoring the computer name of the infected system. DCT will temporarily solve maware but the system will not reboot properly after malware has been executed. This is for variants .D and .G. May result to clean fail because file was not deleted due to insufficient administrative rights. For .C variant, malware disables keyboard for Windows applications. The only way to restore keyboard is to reset PC.
14. TROJ_SLIME.A associates itself with .EXE files. Rename TSC.EXE to TSC.COM for TROJ_SLIME.A infections.
15. DCE/DCT will not delete random registry entries created by WORM_SPYBOT. These entries are harmless. On Windows 2000 system, some samples do not drop their associated file/s in the Windows system directory. DCE/DCT does not support this kind of behavior. However, if there are dropped files, these can be detected/cleaned by our VSAPI engine.
16. DCE/DCT
for WORM_WUKILL family will leave the valid file WINFILE.EXE running on systems
where it exists. Since this is a valid windows file, this considered as
non-malicious and won't harm the system. The user should terminate the
application manually.
17. In Windows NT systems, the malware WORM_SDBOT.FP fails to finish one of its network modules thus the NET.EXE process (normal system file) that it uses does not terminate. Since this file is
nonmalicious, this activity poses no threat to the system. Nonetheless, if the user desires to remove this active application, a simple system reboot will suffice.
18. On WinNT DCE/DCT requires that the user should click OK the DrWatson error for the DCE/DCT to clean WORM_SDBOT.TL from the %systemdir%
19. During
the release of the DCT for TROJ_AGENT.EL, the URL site where it downloads a
program was already inaccessible.
20. To remove BKDR_PADODOR.H from the system, first execute the DCT pattern from Trend Micro’s Damage Cleanup Services. Then reboot the
system.
21. To completely clean PE_Chir.B DCE/DCT should be run after rebooting
the system.
22. To completely clean WORM_BOBAX.P, scan the system using the
Trend Micro antivirus product after rebooting the system.
23. DCE/DCT only detects and removes fully installed RTKT_XCP.A on Windows
2000, XP and Server 2003.
24. Two system reboots are required to completely clean PE_BOBAX.AL which is also dropped and executed by WORM_BOTOB.A.