|
I.
|
Operating System Recommendation
|
|
|
1.
|
For MS Windows ME, XP, and Vista, turn off System Restore as the restore point/files may have been infected by an uncleanable variant.
|
|
|
|
|
|
|
|
Here are the Microsoft articles that pertain to System Restore:
|
|
|
|
·
|
Windows Vista: How to use System Restore to log on to Windows Vista when you lose access to an account
|
|
|
|
·
|
Windows XP: How to turn off and turn on System Restore in Windows XP
|
|
|
|
·
|
Windows ME: Description of the System Restore Utility in Windows Millennium Edition
|
|
|
|
|
|
|
|
Note: After ensuring that your system is clear again, you can enable the System Restore.
|
|
|
|
|
|
|
2.
|
Clean the cache of the System File Checker (SFC) as it may have been infected by an uncleanable variant. This will clean out [%SystemRoot%\system32\dllcache]. Note that some installations may require access to Windows Installation source files.
|
|
|
|
|
|
|
|
Here are the Microsoft articles that pertain to System File Checker:
|
|
|
|
·
|
Windows 2000: Description of the Windows 2000 System File Checker (Sfc.exe)
|
|
|
|
·
|
Windows XP/2003: Description of Windows XP and Windows Server 2003 System File Checker (Sfc.exe)
|
|
|
|
|
II.
|
Sysclean Tool Recommendation
|
|
|
1.
|
Download the latest Sysclean tool. The Sysclean tool is always updated to address clean up issues, including detection issues. It can be downloaded from:
|
|
|
|
http://www.trendmicro.com/ftp/products/pattern/spyware/fixtool/SysClean-PE_VIRUX.zip
|
|
|
|
|
|
|
|
Make sure to use the latest scan pattern file posted on the FTP site mentioned.
|
|
|
|
|
|
|
2.
|
To maximize the clean up capabilities of the tool, please boot in Safe Mode + Command Prompt by pressing F8 upon boot up. You can copy the sysclean package before booting in this mode, or use a clean USB disk on each workstation. USB disks are usually detected in this mode, and are assigned a drive letter greater than your last physical drive.
|
|
|
|
|
|
|
|
You may refer to this Microsoft article for Safe Mode boot options for Windows XP.
|
|
|
|
Note: The same options apply to any Microsoft OS.
|
|
|
|
|
III.
|
Product Recommendation
|
|
|
1.
|
For your scan options, the recommended configuration is Clean / [Pass/Bypass] (SPNT, WFBS, CSM-SMB, OSCE 7.3) or Clean / Deny Access (OSCE 8.0). This minimizes the damage done by the PE_VIRUX family by enabling cleaning for cleanable executable, but leaves infected executables that may possibly be system files.
|
|
|
|
|
|
|
2.
|
If the networked environment is using shared mapped drives, or frequently using shared folders, it is recommended to enable scanning of network storage drives.
|
|
|
|
Click here for the OfficeScan 7.3 configuration.
|
|
|
|
|
|
|
|
Note: There is a similar configuration for OfficeScan 8.0, which is available in the product documentation.
|
|
|
|
|
|
|
3.
|
You can enable Web Reputation if you are using OfficeScan 8.0, 10/10.5, and have a license for Web Threat Protection. In case you are infected by the PE_VIRUX.A, it can be commanded via IRC to download malware from a malicious URL.
|
|
|
|
|
|
|
|
Enabling Web Reputation on OfficeScan 8.0/10/10.5 can minimize this risk of the machine-downloading malware.
|
|
|
|
|
|
|
4.
|
Since this is a file infector, it is possible that the OfficeScan Client can be infected, especially if your network has been tainted prior to the malwares detection. You can run the following command which has been tested for OfficeScan 7.3 and 8.0:
|
|
|
|
|
\\ip.address.of.osce-server\ofcscan\autopcc.exe -f
|
|
|
|
|
|
|
|
This will fix any OfficeScan client-side corruption. You can implement this via GPO for large-scale infections.
|
|
|
|
|
IV.
|
Network Recommendation
|
|
|
|
To minimize risk on the network in general, you can use a scanning HTTP proxy server. At the firewall, you can then restrict all HTTP (port 80) access to go through the HTTP proxy. This enables you to block content that are being downloaded via web, and prevent connections to the IRC port (port 6660 to 6669).
|
|
|
|
|
|
|
|
Note: You can use InterScan Web Security Suite to minimize this risk. Click here to evaluate this product.
|
|
|
|
|
|
Recommended steps to mitigate the malware and secure your network:
|
|
1.
|
Contain the malware by following the Network Recommendation. Please review your firewall or proxy configuration if you are able to block specific ports and scan for downloaded content.
|
|
|
|
|
2.
|
Ensure that your Trend Micro product is updated of the latest pattern file and recommended scan engine. Click here to download the Scan Engine.
|
|
|
|
|
|
After downloading the Scan Engine, you can safely point your product to update via the product’s Active Update site.
|
|
|
|
|
3.
|
On your Trend Micro product console, follow the recommendations to set the correct scan action to prevent system and other important files from being quarantined.
|
|
|
|
|
|
For OfficeScan, You can select a specific group of clients who have been infected by the said malware and implement changes for this group.
|
|
|
|
|
4.
|
Check if you have Web Threat Protection license and enable it. This is applicable for OfficeScan 8.0.
|
|
|
|
|
5.
|
Perform a Manual Scan or a Scan Now on the machines.
|
|
|
|
|
6.
|
Check your virus logs. For machines that are heavily infected with this malware family, please use the Sysclean tool.
|
|
|
|
|
|
It is recommended to remove both the SFC cache files and the System Restore points as they have been infected already and their integrity has been compromised. Please refer to the above-mentioned link notes for the procedure.
|
|
|
|
|
7.
|
If the OfficeScan client has been infected, please restore it to full functionality by running the command “\\ip.address.of.osce-server\ofcscan\autopcc.exe -f”.
|
|
|
|
|
8.
|
After scanning the machines with the Sysclean tool and restoring possibly-corrupted OfficeScan installations, you can proceed to do another manual scan.
|
|
|
|
The recommended Trend Micro scan action is enabled to contain the malware that can be possibly cleaned in the future. Trend actively works on this complex malware, and updates the pattern files regularly.
|
Connect with us on
| | | |