1.0
Introduction
2.0 Release
Package Contents
3.0
Known issue
Damage Cleanup Template (DCT) 830 is a Pattern Release for Windows related platforms.
New Virus Detected:
There are [05] new viruses supported in this version. The new viruses include:
01. BKDR_GINWUI.B
02. TSPY_LEGMIR.AMF
03. TSPY_LINEAGE.DTD
04. TSPY_ONLINEGA.JN
05. WORM_RBOT.CDX
Virus Name
Changed:
Old Virus
Name
New Virus Name
Virus Signature Modified:
Virus Signature Dropped:
DCE/DCT
release components are as following:
ˇ
TSC.exe
ˇ
TSC.ptn
Requirements
This
tool is designed to run under Windows NT/2000 and Windows 9X/ME. For this tool to
execute properly under Windows NT/2000 it needs the
following DLL file:
o
PSAPI.DLL
Make sure that this file is present in the "Winnt\system32" directory.
This tool is also designed to be used together with a Trend product. The Trend
products that support DCE/DCT 3.9 are: OfficeScan 5.02, ServerProtect 5.35, PC-Cillin
2002, and Damage Cleanup Server (DCE/DCT) 1.0.
Known Issue
1. DCE/DCT backs up only
the latest modification it has made and only restores the backups of the latest
modification.
2. Insufficient disk space. DCE/DCT runs properly despite the lack of disk space. However,
it will not write to the log files and will not be able to back up the system settings
anymore. Trend does not recommend running DCE/DCT on a floppy disk. The size of a floppy
disk may not suffice for the backup files and the log files.
3. The command line or console mode options override the INI settings.
4. On Windows 2000 and Windows XP, cleaning INI files may have problems. Windows 2000/XP
caches the .INI files thus, in some cases, the DCE/DCT may not be able to clean the .INI
files.
5. DCE/DCT only cleans the registry of the currently logged-on user for the
HKEY_CURRENT_USER Key. However, it can clean the other keys properly.
6. For WinME systems, deleted files are maintained in the System Restorefolder due to the
Restore feature of WinME. When an infected file is deleted, the Restore folder of WinME
backs up the file for future restoration. The user must manually delete this file in the
Restore folder. Please visit this Web site for a description and more detailed information
on how to remove the contents of the _Restore folder:
http://support.microsoft.com/support/kb/articles/Q263/4/55.ASP?LN=EN-US&SD=SO&FR=0
7. DCE/DCT cleans all
WORM_KLEZ variants. However, DCE/DCT can restore WORM_KLEZ.E, G, H, I and J infected
files only if the infected files are running.
8. DCE/DCT detects and
cleans a fully installed WORM_FRIENDGRT.B.
9. DCE/DCT Stop and Start
SQLSERVER Service, if possible to stop WORM_SQL1434.A from infecting other computers in
the network.
10. DCE/DCT will create a
subdirectory named [FLCSS.EXE] to make the system immune from future infections of
PE_FUNLOVE.4099. This is a feature of fixtool
integrated in DCE/DCT.
11. DCE/DCT will not able
to delete the added LNK Files with a path containing %username%.<domain name> which
was dropped by the malware named TROJ_SPEEDIA.C.
12. DCE/DCT will not delete registry entries from BKDR_IROFFER.A because they are harmless and generally created by cygwin1.dll, which is a DLL use by UNIX to emulate in WINDOWS platform.
13. The DCE/DCT for MALDAL family is not capable of restoring the computer name of the infected system. DCT will temporarily solve maware but the system will not reboot properly after malware has been executed. This is for variants .D and .G. May result to clean fail because file was not deleted due to insufficient administrative rights. For .C variant, malware disables keyboard for Windows applications. The only way to restore keyboard is to reset PC.
14. TROJ_SLIME.A associates itself with .EXE files. Rename TSC.EXE to TSC.COM for TROJ_SLIME.A infections.
15. DCE/DCT will not delete random registry entries created by WORM_SPYBOT. These entries are harmless. On Windows 2000 system, some samples do not drop their associated file/s in the Windows system directory. DCE/DCT does not support this kind of behavior. However, if there are dropped files, these can be detected/cleaned by our VSAPI engine.
16. DCE/DCT for
WORM_WUKILL family will leave the valid file WINFILE.EXE running on systems where it
exists. Since this is a valid windows file, this considered as non-malicious and won't
harm the system. The user should terminate the application manually.
17. In Windows NT systems, the malware WORM_SDBOT.FP fails to finish one of its network
modules thus the NET.EXE process (normal system file) that it uses does not terminate.
Since this file is nonmalicious, this activity poses no threat to the system. Nonetheless,
if the user desires to remove this active application, a simple system reboot will
suffice.
18. On WinNT DCE/DCT requires that the user should click OK the DrWatson error for the DCE/DCT to clean WORM_SDBOT.TL from the %systemdir%
19. During the
release of the DCT for TROJ_AGENT.EL, the URL site where it downloads a program was
already inaccessible.
20. To remove BKDR_PADODOR.H from the system, first execute the DCT pattern from
Trend Micro’s Damage Cleanup Services. Then reboot the system.
21. To completely clean PE_Chir.B DCE/DCT should be run after rebooting the system.
22. To completely clean WORM_BOBAX.P, scan the system using the Trend Micro
antivirus product after rebooting the system.
23. DCE/DCT only detects and removes fully installed RTKT_XCP.A on Windows 2000, XP
and Server 2003.
24. Two system reboots are required to completely clean PE_BOBAX.AL which is also dropped and executed by WORM_BOTOB.A.