Release Notes for McAfee® Rootkit Detective Version 1.0 Developed by McAfee® Avert® Labs Copyright © 2005-2007 McAfee, Inc. All Rights Reserved You use of the McAfee Rootkit Detective is subject to the Software License terms at the end of this document. =========================================================== Thank you for using McAfee® Rootkit Detective 1.0 Software. This readme file contains important information regarding this release. We strongly recommend that you read the entire document before you run the tool. IMPORTANT: The Rootkit Detective allows you to detect and repair rootkits that hides their processes, files and registry entries. We strongly suggest that you take full caution when taking a repair action against hidden files, registry entries and processes as it may lead to serious system stability issues depending on how the rootkit injects its components into the execution environment. As there is no support for automatic upgrading of this version of the software, you need to download the latest new release, a release candidate, or a production release of the software manually by downloading directly from the Website. __________________________________________________________ WHAT'S IN THIS FILE - Introduction - Scope of this Release - Features - Installation & System Requirements - Supported Products - Known Issues - Documentation - Contact Information - Copyright, Trademark Attributions & Patents - Trademarks - License Agreement and Attributions - Patents __________________________________________________________ INTRODUCTION McAfee Rootkit Detective is a program designed and developed by McAfee Avert Labs to proactively detect and clean rootkits that are running in the system. SCOPE OF THIS RELEASE This McAfee Avert Rootkit Detective Release 1.0 - Is provided as a free tool with no charge - Works on all supported platforms. (Refer to Installation and System requirements) For additional information or feedback about the Rootkit Detective 1.0 please contact stinger@avertlabs.com FEATURES Following are the features of this program that are designed to proactively detect and clean rootkits from the system. This program is not dependent on any signatures and can proactively detect most of the existing and upcoming rootkits and allow the user to clean them. 1. Proactively detect the processes, files and registry that are hiding from the system user or security applications. 2. Provides information about all running processes in the system. 3. Provides information about various system hooks like SSDT (System Service Descriptor Table) hooks, user/kernel IAT/EAT(Import/Export Address Table) hooks. 4. Allows the user to clean/remove the malicious objects from the system by renaming/deleting the hidden files/registry. 5. Allows the user to terminate the malicious processes. 6. Users can submit samples using the submission feature present in the tool. 7. Users can also collect the samples manually after renaming them and submit to stinger@avertlabs.com for further analysis. Rootkit Detective generates a log file which contains detailed information about what the tool finds when running on the user system. The files once renamed after reboot will have a .REN extension. Users can search for log files on their systems and submit these files for further analysis with their comments to stinger@avertlabs.com. Zip the files and password protect with “infected” and mention “Rootkit Detective” in the subject line when you send the mail. __________________________________________________________ INSTALLATION AND SYSTEM REQUIREMENTS This package is a zip file and contains the following files in it. 1. Rootkit_Detective.exe - This file is the single and main executable that detects and cleans rootkits. 2. Readme.txt - This file contains all the information about the program. You need to extract this zip file in the system with any unzipping program and run the main file. Please read the Readme.txt before using this program. This tool only runs in Administrator mode. You should run this program by logging in as Administrator user or any user having the Administrator rights. The following platforms are currently supported. The OS Language supported is English for all supported platforms. Operating Systems supported: - Windows XP Home Edition with SP2 - Windows XP Professional Edition with SP2 - Windows 2000 with SP4 - Windows 2000 Server - Windows 2003 Server SP1 Note: Please follow the Microsoft recommendations for system requirements for all the supported platforms. We recommend a minimum of 256MB memory for Server Platforms. __________________________________________________________ SUPPORTED PRODUCTS This tool has been tested for compatibility against the following products 1. McAfee Virus Scan Enterprise 8.0i 2. McAfee Virus Scan Online 11 3. F-Secure Internet Security Suite 2006 4. Kaspersky Internet Security 2006 5. CA eTrust Internet Security Suite 6. TrendPC-Cillin Internet Security 2006 7. AVG Anti-Virus plus Firewall 7.1 8. TrendPC-Cillin Internet Security 2006 9. Sygate Personal Firewall 10. Norton Antivirus 2006 11. McAfee Antispyware Enterprise 8.0 12. MASE Plugin for VSE8.0i 13. Zone Alarm 14. McAfee Virus scan Enterprise 8.5i 15. Microsoft Windows OneCare In case you experience any issues with the above or any other AV or Firewall Products please send as e-mail to the mail ID specified in the contact information section. __________________________________________________________ KNOWN ISSUES 1. Known detection issues Rootkit Detective allows end users to list suspicious hooks made to the system kernel. Those Hooks are used by Rootkits and also by legitimate security applications. In this section we will list the device drivers from various security vendors that hook into the system kernel and as a result of the that the tool would show them while doing the kernel integrity scanning. We ask the end user not to take any action against any of those device drivers as this may lead to serious system stability issues and at the minimum would disable their security application. In addition some security application hide some entries. Those are listed as well. - Detects registry entries pertaining to McAfee Entercept Products. - Detects hooked kernel services by mfehidk.sys file pertaining to McAfee Antispyware Enterprise (Standalone). - Detects IAT/EAT hooks in Windows 2000 SP4 system pointing to shim.dll. - Detects vsdatant.sys from Zone Alarm as hooked service for rootkit like behavior. - Detects Goback2k.sys as hooked service on system having Go Back software installed system for rootkit like behavior. - Detects fsndis5.sys as hooked service from F-Secure if F-Secure Internet Security Suite 2006 is installed on the system - Detects klif.sys as hooked service from Kaspersky if Kaspersky Internet Security 2006 is installed on the system. - Detects FireTDS.sys as hooked service from McAfee if McAfee Desktop Firewall is installed on the system. - Detects Hidsys.sys as hooked service from McAfee if McAfee Host Intrusion Prevention is installed on the system. - Detects Service Name ZwCreateThread when VSE product is installed on the system. 2. Additional detection issues In addition to the hooks listed in previous section, the tool will detect many IAT/EAT hooks and SSDT hooks of other legitimate applications. 3. Running issue The tool will not run on Windows 2000 platforms when Kaspersky Internet Security 2006 is installed. NOTE: Some or all of the above issues may be addressed in the future releases. __________________________________________________________ DOCUMENTATION - Help Link in the tool. A Help file, accessed from within the tool, provides quick access to concepts, definitions, and procedures for using the tool. - This README file. _________________________________________________________ CONTACT INFORMATION THREAT CENTER: McAfee(r) Avert(r) Labs Home Page http://www.mcafee.com/us/threat_center/default.asp Avert Labs Threat Library http://vil.nai.com/ Avert WebImmune & Submit a Sample (Logon credentials required) https://www.webimmune.net/default.asp Avert DAT Notification Service http://vil.nai.com/vil/signup_DAT_notification.aspx Contact stinger@avertlabs.com for any queries McAfee Avert is devoted to providing solutions based on your input. _____________________________________________________ LEGAL INFORMATION SOFTWARE LICENSE BY DOWNLOADING AND INSTALLING THE MCAFEE ROOTKIT DETECTIVE (the "SOFTWARE"), YOU AGREE TO BE BOUND BY THE TERMS AND CONDITIONS OF THIS SOFTWARE LICENSE AGREEMENT. IF YOU DO NOT AGREE WITH THESE TERMS AND CONDITIONS, THEN UNINSTALL THIS SOFTWARE PRODUCT AND DELETE ALL COPIES. You, conditioned upon accepting these terms, is hereby granted a non-exclusive, non-transferable, non-royalty bearing license to copy, and install the Software for your internal use only. You are NOT allowed to: (1) reverse engineer or otherwise attempt to discover the Software's source code; (2) sell, assign, sublicense, rent, share or otherwise distribute the Software to 3rd parties; or (3) Use, copy, print or display the McAfee logo in connection with your use of the Software. THE SOFTWARE IS PROVIDED AS-IS, WITH NO WARRANTY WHATSOEVER, EXPRESS OR IMPLIED. THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT ARE SPECIFICALLY DISCLAIMED. McAfee reserves the right to terminate your license at any time for any reason, or even for no reason. TRADEMARKS ACTIVE FIREWALL, ACTIVE SECURITY, ACTIVESECURITY (AND IN KATAKANA), ACTIVESHIELD, CLEAN-UP, DESIGN (STYLIZED E), DESIGN (STYLIZED N), ENTERCEPT, EPOLICY ORCHESTRATOR, FIRST AID, FOUNDSTONE, GROUPSHIELD, GROUPSHIELD (AND IN KATAKANA), INTRUSHIELD, INTRUSION PREVENTION THROUGH INNOVATION, MCAFEE, MCAFEE (AND IN KATAKANA), MCAFEE AND DESIGN, MCAFEE.COM, MCAFEE VIRUSSCAN, NET TOOLS, NET TOOLS (AND IN KATAKANA), NETSCAN, NETSHIELD, NUTS & BOLTS, OIL CHANGE, PRIMESUPPORT, SPAMKILLER, THREATSCAN, TOTAL VIRUS DEFENSE, VIREX, VIRUS FORUM, VIRUSCAN, VIRUSSCAN, VIRUSSCAN (AND IN KATAKANA), WEBSCAN, WEBSHIELD, WEBSHIELD (AND IN KATAKANA) are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. The color red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners. _____________________________________________________ 3rd PARTY OPEN SOURCE SOFTWARE AND PATENT INFORMATION LICENSE ATTRIBUTIONS This product includes or may include: * Software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). * Cryptographic software written by Eric A. Young and software written by Tim J. Hudson. * Some software programs that are licensed (or sublicensed) to the user under the GNU General Public License (GPL) or other similar Free Software licenses which, among other rights, permit the user to copy, modify and redistribute certain programs, or portions thereof, and have access to the source code. The GPL requires that for any software covered under the GPL, which is distributed to someone in an executable binary format, that the source code also be made available to those users. For any such software covered under the GPL, the source code is made available on this CD. If any Free Software licenses require that McAfee provide rights to use, copy or modify a software program that are broader than the rights granted in this agreement, then such rights shall take precedence over the rights and restrictions herein. * Software originally written by Henry Spencer, Copyright 1992, 1993, 1994, 1997 Henry Spencer. * Software originally written by Robert Nordier, Copyright (C) 1996-7 Robert Nordier. * Software written by Douglas W. Sauder. * Software developed by the Apache Software Foundation (http://www.apache.org/). A copy of the license agreement for this software can be found at www.apache.org/licenses/LICENSE-2.0.txt. * International Components for Unicode ("ICU") Copyright (C) 1995-2002 International Business Machines Corporation and others. * Software developed by CrystalClear Software, Inc., Copyright (C) 2000 CrystalClear Software, Inc. * FEAD(R) Optimizer(R) technology, Copyright Netopsystems AG, Berlin, Germany. * Outside In(R) Viewer Technology (C) 1992-2001 Stellent Chicago, Inc. and/or Outside In(R) HTML Export, (C) 2001 Stellent Chicago, Inc. * Software copyrighted by Thai Open Source Software Center Ltd. and Clark Cooper, (C) 1998, 1999, 2000. * Software copyrighted by Expat maintainers. * Software copyrighted by The Regents of the University of California, (C) 1996, 1989, 1998-2000. * Software copyrighted by Gunnar Ritter. * Software copyrighted by Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, California 95054, U.S.A., (C) 2003. * Software copyrighted by Gisle Aas. (C) 1995-2003. * Software copyrighted by Michael A. Chase, (C) 1999-2000. * Software copyrighted by Neil Winton, (C) 1995-1996. * Software copyrighted by RSA Data Security, Inc., (C) 1990-1992. * Software copyrighted by Sean M. Burke, (C) 1999, 2000. * Software copyrighted by Martijn Koster, (C) 1995. * Software copyrighted by Brad Appleton, (C) 1996-1999. * Software copyrighted by Michael G. Schwern, (C) 2001. * Software copyrighted by Graham Barr, (C) 1998. * Software copyrighted by Larry Wall and Clark Cooper, (C) 1998-2000. * Software copyrighted by Frodo Looijaard, (C) 1997. * Software copyrighted by the Python Software Foundation, Copyright (C) 2001, 2002, 2003. A copy of the license agreement for this software can be found at www.python.org. * Software copyrighted by Beman Dawes, (C) 1994-1999, 2002. * Software written by Andrew Lumsdaine, Lie-Quan Lee, Jeremy G. Siek (C) 1997-2000 University of Notre Dame. * Software copyrighted by Simone Bordet & Marco Cravero, (C) 2002. * Software copyrighted by Stephen Purcell, (C) 2001. * Software developed by the Indiana University Extreme! Lab (http://www.extreme.indiana.edu/). * Software copyrighted by International Business Machines Corporation and others, (C) 1995-2003. * Software developed by the University of California, Berkeley and its contributors. * Software developed by Ralf S. Engelschall for use in the mod_ssl project (http:// www.modssl.org/). * Software copyrighted by Kevlin Henney, (C) 2000-2002. * Software copyrighted by Peter Dimov and Multi Media Ltd. (C) 2001, 2002. * Software copyrighted by David Abrahams, (C) 2001, 2002. See http://www.boost.org/libs/bind/bind.html for documentation. * Software copyrighted by Steve Cleary, Beman Dawes, Howard Hinnant & John Maddock, (C) 2000. * Software copyrighted by Boost.org, (C) 1999-2002. * Software copyrighted by Nicolai M. Josuttis, (C) 1999. * Software copyrighted by Jeremy Siek, (C) 1999-2001. * Software copyrighted by Daryle Walker, (C) 2001. * Software copyrighted by Chuck Allison and Jeremy Siek, (C) 2001, 2002. * Software copyrighted by Samuel Krempp, (C) 2001. See http://www.boost.org for updates, documentation, and revision history. * Software copyrighted by Doug Gregor (gregod@cs.rpi.edu), (C) 2001, 2002. * Software copyrighted by Cadenza New Zealand Ltd., (C) 2000. * Software copyrighted by Jens Maurer, (C) 2000, 2001. * Software copyrighted by Jaakko Järvi (jaakko.jarvi@cs.utu.fi), (C) 1999, 2000. * Software copyrighted by Ronald Garcia, (C) 2002. * Software copyrighted by David Abrahams, Jeremy Siek, and Daryle Walker, (C) 1999-2001. * Software copyrighted by Stephen Cleary (shammah@voyager.net), (C) 2000. * Software copyrighted by Housemarque Oy , (C) 2001. * Software copyrighted by Paul Moore, (C) 1999. * Software copyrighted by Dr. John Maddock, (C) 1998-2002. * Software copyrighted by Greg Colvin and Beman Dawes, (C) 1998, 1999. * Software copyrighted by Peter Dimov, (C) 2001, 2002. * Software copyrighted by Jeremy Siek and John R. Bandela, (C) 2001. * Software copyrighted by Joerg Walter and Mathias Koch, (C) 2000-2002. * Software copyrighted by Carnegie Mellon University (C) 1989, 1991, 1992. * Software copyrighted by Cambridge Broadband Ltd., (C) 2001-2003. * Software copyrighted by Sparta, Inc., (C) 2003-2004. * Software copyrighted by Cisco, Inc and Information Network Center of Beijing University of Posts and Telecommunications, (C) 2004. * Software copyrighted by Simon Josefsson, (C) 2003. * Software copyrighted by Thomas Jacob, (C) 2003-2004. * Software copyrighted by Advanced Software Engineering Limited, (C) 2004. * Software copyrighted by Todd C. Miller, (C) 1998. * Software copyrighted by The Regents of the University of California, (C) 1990, 1993, with code derived from software contributed to Berkeley by Chris Torek. PATENTS Protected by US Patents 6,006,035; 6,029,256; 6,035,423; 6,151,643; 6,230,288; 6,266,811; 6,269,456; 6,457,076; 6,496,875; 6,542,943; 6,594,686; 6,611,925; 6,622,150; 6,668,289; 6,697,950; 6,735,700; 6,748,534; 6,763,403; 6,763,466; 6,775,780; 6,851,058; 6,886,099; 6,898,712; 6,928,555; 6,931,540; 6,938,161; 6,944,775; 6,963,978; 6,968,461; 6,971,023; 6,973,577; 6,973,578. DBN-004h-EN V3.1.4