Microsoft Excel files and Word documents can be infected with a malicious macro code identified as a Crigent malware (VBS_CRIGENT.LK, W97M_CRIGENT.JER, X97M_CRIGENT.A).
To clean infected machines using Officescan, perform the following steps.
To clean Crigent infection:
- Make sure that OfficeScan Server and Officescan clients have the latest OPR pattern.
- Deploy the AEGIS Pattern TMTD 1391 from the Controlled Activeupdate server into your OfficeScan server:
- Go to OfficeScan web console > Updates > Server > Update Source and define your Officescan Server Update Source to point to the Controlled AU.
- Under Download Updates From, select Other Update Source: and type in this site: http://controlledpattern-p.activeupdate.trendmicro.com/activeupdate/server.ini.
- Click Save
- Deploy the Bandage DCT Pattern version 1634
- Download the file on your Desktop or on a temporary directory from this site: ftp://ftp-download.trendmicro.com/Pattern/Bandage/VBS_CRIGENT/TSC_CRIGENT_1364.zip.
- Follow the steps in the article Manually updating the Damage Cleanup Engine and Damage Cleanup Template (DCE/DCT) in OfficeScan to apply this bandage DC.
- Configure the Real-time and Manual Scan settings.
- Enable Scanning of Compressed files.
- Go to Officescan Server > Networked Computers > Client Management and choose the domain/group/machine affected.
- Click on Settings > Scan Settings > [Realtime Scan | Manual Scan] Settings > Target.
- Make sure that Enable virus/malware scan and Enable spyware and grayware scan are ticked.
- Check the box for Scan compressed files.
- Click on the Action tab and set 1st and 2ndaction for Virus and Trojan as such:
Or use the same action for all virus/malware types:
1st Action – Clean
2nd Action – Delete
- Click Apply to All Clients button to save.
- Perform an Update on the OfficeScan client to make sure that the new settings are inherited.
- Perform a Manual Scan on the affected machine.
After the *.doc file(s) have been cleaned, a pop-up window “File not found” might appear. If it does, do any of the following:
- Click Ok and continue using the document. However, the pop-up will re-open every time the document opens.
- Disable macros and the pop-up message will no longer appear.
- Enable or disable macros in the Office documents: http://office.microsoft.com/en-001/help/enable-or-disable-macros-in-office-documents-HA010031071.
- Manually remove the AutoOpen macro from the document. In the Word menu:
- Go to View > Macros > View Macros.
- Select AutoOpen Macro and click the Delete button.
- Save the file.
- Use the special bandage pattern below to delete vbadata.xml to eliminate the pop-up. Contact Trend Micro Technical Support to get this bandage.
- Other recommendations/containments:
- Disable network sharing.
- Disable macro.
- Disable powershell.
- As a proactive detection it is recommended to enable AEGIS and WRS.
To learn more about the Crigent malware, visit our Threat Encyclopedia: