M December 09, 2008 Virus Alert - POSSIBLE_PATCH-4

POSSIBLE_PATCH-4

Aliases: Trojan.Win32.Patched.ao (Kaspersky), Generic.dx (McAfee), Trojan.Peacomm!inf (Symantec), TR/Patched.AO.40 (Avira), W32/Dref-AQ (Sophos),

Pattern file needed: 5.472.02

Scan engine needed: 8.500

Overall risk rating:

Low

Description :

This is the Trend Micro heuristic detection for suspicious files that manifest similar behavior and characteristics as the following malware:

TROJ_PATCHED

If your Trend Micro product detects a file under this detection name, do not execute the file. Delete it immediately especially if it came from an untrusted or an unknown source (e.g., a Web site of doubtful nature). However, if you have reason to believe that the detected file is non-malicious, you can submit a sample for analysis. Detailed analysis will be done on submitted samples, and corresponding removal instructions will be provided, if necessary.

Solution :

Note: If your Trend Micro product detects a file under this detection name, do not execute the file. Delete it immediately especially if it came from an untrusted or an unknown source (e.g., a Web site of doubtful nature). However, if you have reason to believe that the detected file is non-malicious, you can submit a sample for analysis. Detailed analysis will be done on submitted samples, and corresponding removal instructions will be provided, if necessary.

Submitting Samples

Sample files for submission must be in ZIP format and should be password-protected. To submit a ZIP file, file compression software such as Winzip must be used. A trial version of Winzip is available at www.winzip.com.

To compress a file, please follow the steps below:

Right-click on the file and select Add to Zip.
Enter a file name for the zip file.
On the Options menu, choose Encrpyt. In the input box, type virus. This serves as the password for the zip file.
Send the sample through the following channels:
• For Trend Micro Premium customers, please submit a virus support case by clicking here:
https://premium.trendmicro.com/premiumsupport/en/US/PSP/logon/logon.asp
• For Trend Micro non-Premium customers, please contact your local support network here:
http://www.trendmicro.com/en/about/contact/overview.htm
• For non-Trend Micro customers, please submit a virus support case by clicking here:
http://subwiz.trendmicro.com/SubWiz/Default.asp

MANUAL REMOVAL INSTRUCTIONS

Identifying the Malware Files

Scan your computer with your Trend Micro antivirus product.
Note the path and file name of all files detected as Possible_Patch-4.

Trend Micro customers need to download the latest virus pattern file before scanning their computer. Other users can use Housecall, the Trend Micro online threat scanner.

Restoring Deleted or Overwritten Files

The following file, which have been deleted or overwritten by the malware, can be restored from backup by using installers:

USER32.DLL

(Note: If the above solution does not restore the said file, proceed to the following solution set.)

Deleting Malware Files using Recovery Console

To copy the legitimate file USER32.DLL to its original location, refer to the following procedure: On Windows NT, 2000, XP, and Server 2003 systems

This procedure allows the computer to restart by using the Windows installation CD.

Insert your Windows Installation CD in your CD-rom.
Press the restart button of your computer.
When prompted, press any key to boot from the CD.
When prompted on the Main Menu, type r to enter the recovery console.
(Note: On Windows 2000, after pressing r, type c to choose the Recovery Console in the repair options screen.)
When prompted, type your administrator password to log on.
Once logged in, type the drive that contains Windows in the command prompt that appears, then press Enter.
Type the drive that contains Windows, then press Enter.
Type the following, then press Enter:
- {Drive letter of optical drive where the Windows Installation CD is inserted}{colon}
  (For example: D: or E:)
- CD I386
- Expand.exe {malware file name detected earlier with last character as underscore (_)} { malware path detected earlier}
  (For example: Expand.exe USER32.DL_ c:\WINDOWS\system32)
Type exit to restart the system.

Restarting in Safe Mode

This malware has characteristics that require the computer to be restarted in safe mode. Go to this page for instructions on how to restart your computer in safe mode.

Important Windows ME/XP Cleaning Instructions

Users running Windows ME and XP must disable System Restore to allow full scanning of infected computers.

Users running other Windows versions can proceed with the succeeding solution set(s).

Running Trend Micro Antivirus

If you are currently running in safe mode, please restart your computer normally before performing the following solution.

Scan your computer with Trend Micro antivirus and delete files detected as Possible_Patch-4. To do this, Trend Micro customers must download the latest virus pattern file and scan their computers. Other Internet users can use HouseCall, the Trend Micro online threat scanner.

Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network or home PC.

For additional information about this threat, see Technical Details.