Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Configuring Officescan to clean Crigent malware infection

    • Updated:
    • 25 Apr 2016
    • Product/Version:
    • OfficeScan 10.6
    • Platform:
    • Windows 7 32-bit
    • Windows 7 64-bit
    • Windows 8 32-bit
    • Windows 8 64-bit
    • Windows Vista 32-bit
    • Windows Vista 64-bit
    • Windows XP Professional
    • Windows XP Professional 64-bit
Summary

Microsoft Excel files and Word documents can be infected with a malicious macro code identified as a Crigent malware (VBS_CRIGENT.LK, W97M_CRIGENT.JER, X97M_CRIGENT.A).

To clean infected machines using Officescan, perform the following steps.

Details
Public

To clean Crigent infection:

  1. Make sure that OfficeScan Server and Officescan clients have the latest OPR pattern.
  2. Deploy the AEGIS Pattern TMTD 1391 from the Controlled Activeupdate server into your OfficeScan server:
    1. Go to OfficeScan web console > Updates > Server > Update Source and define your Officescan Server Update Source to point to the Controlled AU.
    2. Under Download Updates From, select Other Update Source: and type in this site: http://controlledpattern-p.activeupdate.trendmicro.com/activeupdate/server.ini.

      Update Source

    3. Click Save
  3. Deploy the Bandage DCT Pattern version 1634
    1. Download the file on your Desktop or on a temporary directory from this site: ftp://ftp-download.trendmicro.com/Pattern/Bandage/VBS_CRIGENT/TSC_CRIGENT_1364.zip.
    2. Follow the steps in the article Manually updating the Damage Cleanup Engine and Damage Cleanup Template (DCE/DCT) in OfficeScan to apply this bandage DC.
  4. Configure the Real-time and Manual Scan settings.
    1. Enable Scanning of Compressed files.
    2. Go to Officescan Server > Networked Computers > Client Management and choose the domain/group/machine affected.
    3. Click on Settings > Scan Settings > [Realtime Scan | Manual Scan] Settings Target.
    4. Make sure that Enable virus/malware scan and Enable spyware and grayware scan are ticked.
    5. Check the box for Scan compressed files.

      Scan Compressed Files

    6. Click on the Action tab and set 1st and 2ndaction for Virus and Trojan as such:

      Custom Action

      Or use the same action for all virus/malware types:

      1st Action – Clean
      2nd Action – Delete

    7. Click Apply to All Clients button to save.
  5. Perform an Update on the OfficeScan client to make sure that the new settings are inherited.
  6. Perform a Manual Scan on the affected machine.

After the *.doc file(s) have been cleaned,  a pop-up window “File not found” might appear. If it does, do any of the following:

  1. Click Ok and continue using the document. However, the pop-up will re-open every time the document opens.
  2. Disable macros and the pop-up message will no longer appear.
  3. Enable or disable macros in the Office documents: http://office.microsoft.com/en-001/help/enable-or-disable-macros-in-office-documents-HA010031071.
  4. Manually remove the AutoOpen macro from the document. In the Word menu:
    1. Go to View > Macros > View Macros.
    2. Select AutoOpen Macro and click the Delete button.
    3. Save the file.
  5. Use the special bandage pattern below to delete vbadata.xml to eliminate the pop-up. Contact Trend Micro Technical Support to get this bandage.
  6. Other recommendations/containments:
    1. Disable network sharing.
    2. Disable macro.
    3. Disable powershell.
    4. As a proactive detection it is recommended to enable AEGIS and WRS.

To learn more about the Crigent malware, visit our Threat Encyclopedia:

Premium
Internal
Rating:
Category:
Configure; Remove a Malware / Virus
Solution Id:
1102960
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.


Need More Help?

Create a technical support case if you need further support.