If you guys are using Trend Micro Office Scan, try to check if your officescan clients have the latest pattern file and scan engine. Because without the latest ofcscan components, the product would not implement services to clean/delete/quarantine the malware. Please go to this link to download the latest officescan components:
http://www.trendmicro.com/en/home/us/enterprise.htm Here are more instructions: OfficeScan Corporate Edition: Updating the Scan Engine and Pattern File version of OfficeScan Corporate Edition using ActiveUpdate. http://kb.trendmicro.com/solutions/search/main/search/solutionDetail.asp?solutionID=9918 If you guys have hundreds or thousands of client machines to update the officescan clients with the latest patterrn file and scan engine updated from the ActiveUpdate server of Trend Micro, follow this procedure: Automatically upgrading and updating HTTP-based OfficeScan Corporate Edition (OSCE) 5.x or lower client machines upon upgrade / update of the OfficeScan server. http://kb.trendmicro.com/solutions/search/main/search/solutionDetail.asp?solutionID=20068 btw, we have a product named HouseCall which is a Trend Micro Service/Product that will scan your computer for free: http://housecall.trendmicro.com/ Hope to Help :) On Fri, 19 Nov 2004 15:34:41 +0800, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > It appears that this worm/virus is again spreading. Here's what I got > from my team. > ...hope this helps. > Sammy > ================= > > I used another Anti-virus to scan the infected PC and detected as: > Z:\WINNT\system32\SYSMON32.exe Infection: Worm.Win32.Aidid Renamed. > Z:\Documents and Settings\administrator\My Documents\Article Number 6 > (PNAP).doc.exe Infection: Worm.Win32.Aidid Renamed. > > Actually its an old virus. pls. check this link : > http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_AID > ID.A > I don't know why OfficeScan cannot detect it. > > Worm.Win32.Aidid can be easily manually remove. > Pls. read above link for the procedure. > > Terminating the Malware Program > This procedure terminates the running malware process from memory. You > will need the name(s) of the file(s) detected earlier. > > Open Windows Task Manager. > On Windows 95/98/ME systems, press > CTRL+ALT+DELETE > On Windows NT/2000/XP systems, press > CTRL+SHIFT+ESC, then click the Processes tab. > In the list of running programs*, locate the malware file or files > detected earlier. > Select one of the detected files, then press either the End Task or the > End Process button, depending on the version of Windows on your system. > Do the same for all detected malware files in the list of running > processes. > To check if the malware process has been terminated, close Task Manager, > and then open it again. > Close Task Manager. > *NOTE: On systems running Windows 95/98/ME, Task Manager may not show > certain processes. You may use a third party process viewer to terminate > the malware process. Otherwise, continue with the next procedure, noting > additional instructions. > > Removing Autostart Entries from the Registry > > Removing autostart entries from the registry prevents the malware from > executing during startup. > > Open Registry Editor. To do this, click Start>Run, type REGEDIT, then > press Enter. > In the left panel, double-click the following: > HKEY_LOCAL_MACHINE>Software>Microsoft> > Windows>CurrentVersion>Run > In the right panel, locate and delete the entry or entries: > SystemMonitor = "%System%\Sysmon32.exe" > Note: %System% is the Windows system folder, which is usually > C:\Windows\System on Windows 95, 98 and ME, C:\WINNT\System32 on Windows > NT and 2000, and C:\Windows\System32 on Windows XP. > > Close Registry Editor. > NOTE: If you were not able to terminate the malware process from memory > as described in the previous procedure, restart your system. > > > > > -----Original Message----- > From: Joseph Anthony C. Hermocilla [mailto:[EMAIL PROTECTED] > Sent: Saturday, November 20, 2004 3:45 AM > To: Philippine Linux Users Group Mailing List > Subject: Re: [plug] new philippine virus! > > Kalat po yan dito sa UPLB. > > To remove the worm: > 1.) Boot in safe mode (Win 98 or XP) > 2.) Run regedit. Regedit won't run under normal mode because the worm > closes the window associated with regedit. > 3.) Remove registry entry: > HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SYSMON? > something. > 4.) delete "C:\WINDOWS\SYSTEM\SYSMON32.EXE". I don't remember if its > SYSTEM or SYSTEM32. Just check the registry. > > I think the worm was made using VB. > > -- > ________________________________________________________________________ > ________ > Joseph Anthony C. Hermocilla http://www.ics.uplb.edu.ph/~jach > Instructor 1 > Institute of Computer Science > University of the Philippines Los Banos > > -- > Philippine Linux Users' Group (PLUG) Mailing List [EMAIL PROTECTED] > (#PLUG @ irc.free.net.ph) Official Website: http://plug.linux.org.ph > Searchable Archives: http://marc.free.net.ph . > To leave, go to http://lists.q-linux.com/mailman/listinfo/plug > . > Are you a Linux newbie? To join the newbie list, go to > http://lists.q-linux.com/mailman/listinfo/ph-linux-newbie > > -- > Philippine Linux Users' Group (PLUG) Mailing List > [EMAIL PROTECTED] (#PLUG @ irc.free.net.ph) > Official Website: http://plug.linux.org.ph > Searchable Archives: http://marc.free.net.ph > . > To leave, go to http://lists.q-linux.com/mailman/listinfo/plug > . > Are you a Linux newbie? To join the newbie list, go to > http://lists.q-linux.com/mailman/listinfo/ph-linux-newbie > -- -- Xander R. Solis ----------------------- "Don't part with your illusions. When they are gone you may still exist, but you have ceased to live." GNUPG Key: 1024D/5257774A -- Philippine Linux Users' Group (PLUG) Mailing List [EMAIL PROTECTED] (#PLUG @ irc.free.net.ph) Official Website: http://plug.linux.org.ph Searchable Archives: http://marc.free.net.ph . To leave, go to http://lists.q-linux.com/mailman/listinfo/plug . Are you a Linux newbie? To join the newbie list, go to http://lists.q-linux.com/mailman/listinfo/ph-linux-newbie
