Revised November 10, 2006
November 5, 2002
THIS FIELD NOTICE HAS BEEN ARCHIVED AND IS NO LONGER MAINTAINED OR UPDATED BY CISCO.
THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE, WARRANTY OR SUPPORT. USE OF THE INFORMATION ON THIS FIELD NOTICE OR MATERIALS LINKED FROM THIS FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.
Cisco CallManager 3.1(4b)spA contains three executables that are infected with the w32-Elkern virus. To detect if the server has a virus, use McAffee, scan engine 4.1.60 and virus definition 4.0.4230 or later.
The support patch installation does not launch any of these executables; therefore, the virus remains dormant unless manually launched by the administrator. The support patch installation automatically removes two of the executables, shutdowndbl.exe and kill.exe. The third executable, movlatr.exe, remains on the server after the installation.
C:\esbackout\movelatr.exe (Size: 165KB Date: 1/10/2000)
C:\Documents and Settings\user that ran spA\Local Settings\Temp\pftxx.tmp\kill.exe (Size: 25KB Date: 12/13/1994)
C:\Documents and Settings\user that ran spA\Local Settings\Temp\pftxx.tmp\shutdownDBL.exe (Size: 38KB Date: 4/26/2000)
In the filename pftxx.tmp, xx will be two alphanumeric charaters.
Cisco performs virus checking during the build process, and is currently investigating ways to improve the process because of this incident.
All servers that run Cisco CallManager 3.1(4b)_spA contain the infected files.
To verify the CallManager version locate the "ciscoupdate.txt" file from "Start > Programs > Cisco CallManager > Patches". Select the ciscoupdate.txt file and scroll through it to determine the latest support patch version installed on server.
Remove infected files on all servers that run Cisco CallManager 3.1(4b)_spA. Delete: C:\esbackout\movelatr.exe, and confirm that shutdownDBL.exe and kill.exe do not exist in C:\Documents and Settings\user that ran spA\Local Settings\Temp\pftxx.tmp\, where the xx in pftxx.tmp is two alphanumeric characters.
To follow the link below and download software, you must be a registered user and you must be logged in.
If the administrator manually executes any of the infected files and the infected computer has a network connection open to other computers through a mapped drive, the virus will probably infect the remote computers.
Free cleaning utilities can be found at the following links.
Although cleaning the virus will prevent further infection, the cleaning utilities cannot repair any damage done. It may be necessary to reinstall some of the software on the client machine.
For More Information
If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:
Receive Email Notification For New Field Notices
Product Alert Tool - Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.