Best Practice - How to clean Worm_Downad.AD with OfficeScan

Trend Micro has seen an increase of Worm_Downad.AD infection or its variants.

Symptom
· Users cannot login using their windows credentials because it is locked out
· Increase traffic at port 445

The following components are needed in order to completely clean the infected machines:
· Latest virus pattern file (lpt$vpn.xxx)
· Rootkit Common Module (RCM) 2.2.1016
· GeneriClean Technology
· Damage Cleanup Template (DCT) 1002
· Damage Cleanup Engine (DCE) 6.0.1169
· Scan engine (VSAPI) 8.911
· Microsoft 08-67 patch

Recommended Action

Using OfficeScan (OSCE) 8.0
1. Apply MS08-67 patch -- http://www.microsoft.com/technet/security/bulletin/ms08-067.mspx
2. Update now to ensure you have the latest components
3. Deploy the latest Damage Cleanup Engine (DCE) 6.0.1169 via OSCE server. DCE 6.0.1169 can be downloaded at http://www.trendmicro.com/ftp/products/pattern/spyware/fixtool/DCEv6.0.1169.zip
Visit KB article for details -- http://esupport.trendmicro.com/support/search.do?cmd=displayKC&docType=kc&externalId=PUB-en-124134
4. If VSAPI 8.911 is not yet uploaded to AU, apply VSAPI 8.911 to the OSCE server. You can download the files at http://www.trendmicro.com/download/engine.asp#prod_5
Visit KB article for details -- http://esupport.trendmicro.com/support/search.do?cmd=displayKC&docType=kc&externalId=PUB-en-122633
5. Once all the update components are up-to-date, invoke a “scan now” from the OSCE server
6. Machines that are infected with Worm_Downad.AD or its variants requires a reboot to completely clean the machine.

Using OfficeScan (OSCE) 7.x
1. Apply MS08-67 patch -- http://www.microsoft.com/technet/security/bulletin/ms08-067.mspx
2. Update now to ensure you have the latest components
3. Deploy the latest Damage Cleanup Engine (DCE) 6.0.1169 via OSCE server. DCE 6.0.1169 can be downloaded at http://www.trendmicro.com/ftp/products/pattern/spyware/fixtool/DCEv6.0.1169.zip
Visit KB article for details -- http://esupport.trendmicro.com/support/search.do?cmd=displayKC&docType=kc&externalId=PUB-en-124134
4. Install Rootkit Common Module on each OSCE 7.x clients
a. download the file (DTtool.zip) at FTP site
b. extract and copy these files to the windows\system32\drivers folder
Dttool.exe
Tmcomm.inf
Tmcomm.sys
Tmengdrv.dll
c. open command prompt and go to windows\system32\drivers and run
Dttool.exe install
Dttool.exe start
5. If VSAPI 8.911 is not yet uploaded to AU, apply VSAPI 8.911 to the OSCE server. You can download the files at http://www.trendmicro.com/download/engine.asp#prod_5
Visit KB article for details -- http://esupport.trendmicro.com/support/search.do?cmd=displayKC&docType=kc&externalId=PUB-en-122633
6. Once all the update components are up-to-date, invoke a “scan now” from the OSCE server
7. Machines that are infected with Worm_Downad.AD or its variants requires a reboot to completely clean the machine.