**************************************************************************** FIXTOOL for WORM_DOWNAD Version 1.10 Trend Micro, Inc. http://www.trendmicro.com **************************************************************************** Date: Wed 04/10/2009 Time: 11:00:00 Time Zone: (GMT-08:00) I. Description This archive is a stand-alone fix package that incorporates the Damage Cleanup Engine and Template. This tool supports the following features: o Scan all local hard drives and clean all malware/virus infected files II. File List The following files are included in this package: o syscl3@n.exe - an executable module that extracts the following files: o fix.exe - the main batch file o syscl3@n.com - the executable module o readme.txt - this file o TestTool.exe - executable for vulnerability assessment o TMVAmain.ptn - vulnerability pattern file o TSCTest.ini - configuration file o tsc.exe - official Damage Cleanup Engine o tsc.ini - configuration file o tsc.ptn - pattern file o regini.exe - Windows tool for registry application III. How to Use 1. Close all applications running on your system, including any antivirus software. 2. Open the .ZIP file. 3. Run the .EXE file, syscl3@n.exe, by either: a. Double-clicking the file in Windows Explorer. b. Executing it via command prompt using syntax based on the aforementioned parameters. 4. Enable any antivirus software that is installed on your system and perform a manual scan. NOTE: This fixtool generates the log file, SYSCLEAN.LOG, in its current folder. IV. History: Version 1.0.1000 - First release Version 1.1.1000 - Update fixtool Version 1.2.1000 - Support WORM_DOWNAD.AD Version 1.3.1000 - Support vulnerability assessment and enhance system cleanup. Version 1.4.1000 - Added enhanced support for Japanese OS Version 1.5.1000 - Support malware that kills Sysclean (com/exe). Version 1.6.1000 - Added Small pattern build that only detects WORM_DOWNAD variants. Version 1.7.1000 - Sysclean scanning defaults to program files and the Windows system directory. Version 1.8.1000 - Add cleaning for WORM_DOWNAD.E Version 1.9.1000 - Add cleaning for WORM_DOWNAD.F Version 1.10.1000 - Enhance cleaning for WORM_DOWNAD.E and merge WORM_DOWNAD.F with WORM_DOWNAD.E V. Compatibility This tool has been tested under the following platforms: Windows 2000 Windows XP Home and Professional Windows 2003 Windows Vista VI. Known Issues o Please update your Microsoft Operating System with the appropriate patches first before running this fixtool, as re-infection may occur. o It is highly recommended to empty all your Internet Explorer's Browsing history after running this fixtool. o This fixtool uses a Windows tool named regini.exe. In some Windows 2000 systems, this file may not exist. If this is the case, please copy/download a file from another system to execute this fixtool successfully. o This fixtool creates a policy that prevents the system from creating a new Scheduled Task, drag and drop a new task. It also prevents Scheduled Task execution. This is becuase this particular malware can create tasks that may execute its behavior every hour. To return Scheduled Task services, please do the following: 1. Start the service for Task Scheduler. Instruction: Click Start>Run, then type services.msc. On right pane of the pop-up window, right click 'Task Scheduler' then press Start. 2. Delete the ff. registry values inside "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Task Scheduler5.0" by using registry editor: "DragAndDrop", "Execution" and "Task Creation" Instruction: Click Start>Run, then type regedit. On the pop-up window go to "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Task Scheduler5.0" then on the right pane delete the ff. value name "DragAndDrop", "Execution" and "Task Creation". VII. Additional Resources This Fixtool for WORM_DOWNAD supports certain WORM_DOWNAD variants, for more information about the variants that are related with this package please visit the Trend Micro virus advisories Web site at: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_DOWNAD.A&VSect=T http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_DOWNAD.AD&VSect=T http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_DOWNAD.KK&VSect=T To access Trend Micro’s SolutionBank, visit: