Release Notes for McAfee Rootkit Detective Version 1.0
                  Developed by
              McAfee Avert Labs
Copyright  2005-2007 McAfee, Inc. All Rights Reserved
You use of the McAfee Rootkit Detective is subject to the
Software License terms at the end of this document.

===========================================================

Thank you for using McAfee Rootkit Detective 1.0
Software. This readme file contains important information
regarding this release. We strongly recommend that
you read the entire document before you run the tool.

    IMPORTANT:
    The Rootkit Detective allows you to detect and repair 
    rootkits that hides their processes, files and registry 
    entries. We strongly suggest that you take full caution 
    when taking a repair action against hidden files, 
    registry entries and processes as it may lead to serious 
    system stability issues depending on how the rootkit 
    injects its components into the execution environment.

    As there is no support for automatic upgrading of 
    this version of the software, you need to download
    the latest new release, a release candidate, or a 
    production release of the software manually by 
    downloading directly from the Website.

__________________________________________________________
WHAT'S IN THIS FILE

-   Introduction
-   Scope of this Release
-   Features
-   Installation & System Requirements
-   Supported Products
-   Known Issues
-   Documentation
-   Contact Information
-   Copyright, Trademark Attributions & Patents
   -   Trademarks
   -   License Agreement and Attributions
   -   Patents

__________________________________________________________

INTRODUCTION 
    McAfee Rootkit Detective is a program designed and 
    developed by McAfee Avert Labs to proactively detect 
    and clean rootkits that are running in the system.
    
SCOPE OF THIS RELEASE

This McAfee Avert Rootkit Detective Release 1.0

-  Is provided as a free tool with no charge

-   Works on all supported platforms. (Refer to Installation 
    and System requirements)

For additional information or feedback about the Rootkit 
Detective 1.0 please contact stinger@avertlabs.com

FEATURES

    Following are the features of this program that are designed 
    to proactively detect and clean rootkits from 
    the system. This program is not dependent on any signatures 
    and can proactively detect most of the existing 
    and upcoming rootkits and allow the user to clean them.
    
    1. Proactively detect the processes, files and registry that 
       are hiding from the system user or security applications. 
    2. Provides information about all running processes in the 
       system. 
    3. Provides information about various system hooks like SSDT
       (System Service Descriptor Table) hooks, 
       user/kernel IAT/EAT(Import/Export Address Table) hooks. 
    4. Allows the user to clean/remove the malicious objects from 
       the system by renaming/deleting the hidden 
       files/registry. 
    5. Allows the user to terminate the malicious processes.
    6. Users can submit samples using the submission feature present 
       in the tool.
    7. Users can also collect the samples manually after renaming 
       them and submit to stinger@avertlabs.com for further analysis.
     
    
Rootkit Detective generates a log file which contains detailed information 
about what the tool finds when running on the user system. The files once 
renamed after reboot will have a .REN extension.
Users can search for log files on their systems and submit these files for 
further analysis with their comments to stinger@avertlabs.com.
Zip the files and password protect with infected and mention Rootkit 
Detective in the subject line when you send the mail.


__________________________________________________________
INSTALLATION AND SYSTEM REQUIREMENTS

This package is a zip file and contains the following files in it.

1. Rootkit_Detective.exe - This file is the single and main executable 
that detects and cleans rootkits.
2. Readme.txt - This file contains all the information about the program.

You need to extract this zip file in the system with any unzipping program 
and run the main file. 

Please read the Readme.txt before using this program. This tool only runs 
in Administrator mode. 

You should run this program by logging in as Administrator user or any user 
having the Administrator rights.

The following platforms are currently supported. The OS Language supported 
is English for all supported platforms.

Operating Systems supported:
- Windows XP Home Edition with SP2
- Windows XP Professional Edition with SP2
- Windows 2000 with SP4
- Windows 2000 Server 
- Windows 2003 Server SP1

Note: Please follow the Microsoft recommendations for system requirements for all the supported platforms. We recommend a minimum of 256MB memory for Server Platforms.

__________________________________________________________
SUPPORTED PRODUCTS

This tool has been tested for compatibility against the following products

1. McAfee Virus Scan Enterprise 8.0i
2. McAfee Virus Scan Online 11
3. F-Secure Internet Security Suite 2006
4. Kaspersky Internet Security 2006
5. CA eTrust Internet Security Suite
6. TrendPC-Cillin Internet Security 2006
7. AVG Anti-Virus plus Firewall 7.1
8. TrendPC-Cillin Internet Security 2006
9. Sygate Personal Firewall
10. Norton Antivirus 2006
11. McAfee Antispyware Enterprise 8.0
12. MASE Plugin for VSE8.0i
13. Zone Alarm
14. McAfee Virus scan Enterprise 8.5i
15. Microsoft Windows OneCare

In case you experience any issues with the above or any other AV or Firewall 
Products please send as e-mail to the mail ID specified in the contact 
information section.


__________________________________________________________
KNOWN ISSUES

1. Known detection issues
Rootkit Detective allows end users to list suspicious hooks made to the system kernel. 
Those Hooks are used by Rootkits and also by legitimate security applications. In this 
section we will list the device drivers from various security vendors that hook into 
the system kernel and as a result of the that the tool would show them while doing the 
kernel integrity scanning. 

We ask the end user not to take any action against any of those device drivers as this 
may lead to serious system stability issues and at the minimum would disable their 
security application. In addition some security application hide some entries. Those are 
listed as well.

-  Detects registry entries pertaining to McAfee Entercept Products.
-  Detects hooked kernel services by mfehidk.sys file pertaining to McAfee 
   Antispyware Enterprise (Standalone).
-  Detects IAT/EAT hooks in Windows 2000 SP4 system pointing to shim.dll.
-  Detects vsdatant.sys from Zone Alarm as hooked service for rootkit like 
   behavior.
-  Detects Goback2k.sys as hooked service on system having Go Back software 
   installed system for rootkit like behavior.
-  Detects fsndis5.sys as hooked service from F-Secure if F-Secure Internet 
   Security Suite 2006 is installed on the system
-  Detects klif.sys as hooked service from Kaspersky if Kaspersky Internet 
   Security 2006 is installed on the system.
-  Detects FireTDS.sys as hooked service from McAfee if McAfee Desktop 
   Firewall is installed on the system.
-  Detects Hidsys.sys as hooked service from McAfee if McAfee Host Intrusion 
   Prevention is installed on the system.
-  Detects Service Name ZwCreateThread when VSE product is installed on the 
   system.

2. Additional detection issues
In addition to the hooks listed in previous section, the tool will detect many IAT/EAT 
hooks and SSDT hooks of other legitimate applications.

3. Running issue
The tool will not run on Windows 2000 platforms when Kaspersky Internet Security 2006 
is installed.

NOTE:  Some or all of the above issues may be addressed in the future releases.

__________________________________________________________
DOCUMENTATION

-   Help Link in the tool.
    A Help file, accessed from within the tool,
    provides quick access to concepts,
    definitions, and procedures for using the
    tool. 


-   This README file.


_________________________________________________________
CONTACT INFORMATION

THREAT CENTER:  McAfee(r) Avert(r) Labs
    Home Page
       http://www.mcafee.com/us/threat_center/default.asp

    Avert Labs Threat Library
       http://vil.nai.com/

    Avert WebImmune & Submit a Sample (Logon
    credentials required)
       https://www.webimmune.net/default.asp

    Avert DAT Notification Service
       http://vil.nai.com/vil/signup_DAT_notification.aspx

Contact stinger@avertlabs.com for any queries

McAfee Avert is devoted to providing solutions based on your input.


_____________________________________________________
LEGAL INFORMATION


SOFTWARE LICENSE

BY DOWNLOADING AND INSTALLING THE MCAFEE ROOTKIT DETECTIVE (the "SOFTWARE"),
YOU AGREE TO BE BOUND BY THE TERMS AND CONDITIONS OF THIS SOFTWARE 
LICENSE AGREEMENT.  IF YOU DO NOT AGREE WITH THESE TERMS AND CONDITIONS, 
THEN UNINSTALL THIS SOFTWARE PRODUCT AND DELETE ALL COPIES.

You, conditioned upon accepting these terms, is hereby granted a 
non-exclusive, non-transferable, non-royalty bearing license to copy, and 
install the Software for your internal use only.  You are NOT allowed to: 
(1) reverse engineer or otherwise attempt to discover the Software's source code;
(2) sell, assign, sublicense, rent, share or otherwise distribute the Software to 3rd parties; or
(3) Use, copy, print or display the McAfee logo in connection with your use of the Software.

THE SOFTWARE IS PROVIDED AS-IS, WITH NO WARRANTY WHATSOEVER, EXPRESS OR IMPLIED.
THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND 
NON-INFRINGEMENT ARE SPECIFICALLY DISCLAIMED.  

McAfee reserves the right to terminate your license at any time for any reason, or even 
for no reason.  


TRADEMARKS

ACTIVE FIREWALL, ACTIVE SECURITY, ACTIVESECURITY
(AND IN KATAKANA), ACTIVESHIELD, CLEAN-UP, DESIGN
(STYLIZED E), DESIGN (STYLIZED N), ENTERCEPT,
EPOLICY ORCHESTRATOR, FIRST AID, FOUNDSTONE,
GROUPSHIELD, GROUPSHIELD (AND IN KATAKANA),
INTRUSHIELD, INTRUSION PREVENTION THROUGH
INNOVATION, MCAFEE, MCAFEE (AND IN KATAKANA), MCAFEE
AND DESIGN, MCAFEE.COM, MCAFEE VIRUSSCAN, NET TOOLS,
NET TOOLS (AND IN KATAKANA), NETSCAN, NETSHIELD,
NUTS & BOLTS, OIL CHANGE, PRIMESUPPORT, SPAMKILLER,
THREATSCAN, TOTAL VIRUS DEFENSE, VIREX, VIRUS FORUM,
VIRUSCAN, VIRUSSCAN, VIRUSSCAN (AND IN KATAKANA),
WEBSCAN, WEBSHIELD, WEBSHIELD (AND IN KATAKANA) are
registered trademarks or trademarks of McAfee, Inc.
and/or its affiliates in the US and/or other
countries. The color red in connection with security
is distinctive of McAfee brand products. All other
registered and unregistered trademarks herein are
the sole property of their respective owners.


_____________________________________________________
3rd PARTY OPEN SOURCE SOFTWARE AND PATENT INFORMATION

LICENSE ATTRIBUTIONS

This product includes or may include:
* Software developed by the OpenSSL Project for use
in the OpenSSL Toolkit (http://www.openssl.org/).
* Cryptographic software written by Eric A. Young
and software written by Tim J. Hudson. * Some
software programs that are licensed (or sublicensed)
to the user under the GNU General Public License
(GPL) or other similar Free Software licenses which,
among other rights, permit the user to copy, modify
and redistribute certain programs, or portions
thereof, and have access to the source code. The GPL
requires that for any software covered under the
GPL, which is distributed to someone in an
executable binary format, that the source code also
be made available to those users. For any such
software covered under the GPL, the source code is
made available on this CD. If any Free Software
licenses require that McAfee provide rights to use,
copy or modify a software program that are broader
than the rights granted in this agreement, then such
rights shall take precedence over the rights and
restrictions herein. * Software originally written
by Henry Spencer, Copyright 1992, 1993, 1994, 1997
Henry Spencer. * Software originally written by
Robert Nordier, Copyright (C) 1996-7 Robert Nordier.
* Software written by Douglas W. Sauder. * Software
developed by the Apache Software Foundation
(http://www.apache.org/). A copy of the license
agreement for this software can be found at
www.apache.org/licenses/LICENSE-2.0.txt.
* International Components for Unicode ("ICU")
Copyright (C) 1995-2002 International Business
Machines Corporation and others. * Software
developed by CrystalClear Software, Inc., Copyright
(C) 2000 CrystalClear Software, Inc. * FEAD(R)
Optimizer(R) technology, Copyright Netopsystems AG,
Berlin, Germany. * Outside In(R) Viewer Technology
(C) 1992-2001 Stellent Chicago, Inc. and/or Outside
In(R) HTML Export, (C) 2001 Stellent Chicago, Inc.
* Software copyrighted by Thai Open Source Software
Center Ltd. and Clark Cooper, (C) 1998, 1999, 2000.
* Software copyrighted by Expat maintainers.
* Software copyrighted by The Regents of the
University of California, (C) 1996, 1989, 1998-2000.
* Software copyrighted by Gunnar Ritter. * Software
copyrighted by Sun Microsystems, Inc., 4150 Network
Circle, Santa Clara, California 95054, U.S.A., (C)
2003. * Software copyrighted by Gisle Aas. (C)
1995-2003. * Software copyrighted by Michael A.
Chase, (C) 1999-2000. * Software copyrighted by Neil
Winton, (C) 1995-1996. * Software copyrighted by RSA
Data Security, Inc., (C) 1990-1992. * Software
copyrighted by Sean M. Burke, (C) 1999, 2000.
* Software copyrighted by Martijn Koster, (C) 1995.
* Software copyrighted by Brad Appleton, (C)
1996-1999.  * Software copyrighted by Michael G.
Schwern, (C) 2001. * Software copyrighted by Graham
Barr, (C) 1998. * Software copyrighted by Larry Wall
and Clark Cooper, (C) 1998-2000. * Software
copyrighted by Frodo Looijaard, (C) 1997. * Software
copyrighted by the Python Software Foundation,
Copyright (C) 2001, 2002, 2003. A copy of the
license agreement for this software can be found at
www.python.org. * Software copyrighted by Beman
Dawes, (C) 1994-1999, 2002. * Software written by
Andrew Lumsdaine, Lie-Quan Lee, Jeremy G. Siek (C)
1997-2000 University of Notre Dame. * Software
copyrighted by Simone Bordet & Marco Cravero, (C)
2002. * Software copyrighted by Stephen Purcell, (C)
2001. * Software developed by the Indiana University
Extreme! Lab (http://www.extreme.indiana.edu/).
* Software copyrighted by International Business
Machines Corporation and others, (C) 1995-2003.
* Software developed by the University of
California, Berkeley and its contributors.
* Software developed by Ralf S. Engelschall
<rse@engelschall.com> for use in the mod_ssl project
(http:// www.modssl.org/). * Software copyrighted by
Kevlin Henney, (C) 2000-2002. * Software copyrighted
by Peter Dimov and Multi Media Ltd. (C) 2001, 2002.
* Software copyrighted by David Abrahams, (C) 2001,
2002. See http://www.boost.org/libs/bind/bind.html
for documentation. * Software copyrighted by Steve
Cleary, Beman Dawes, Howard Hinnant & John Maddock,
(C) 2000. * Software copyrighted by Boost.org, (C)
1999-2002. * Software copyrighted by Nicolai M.
Josuttis, (C) 1999. * Software copyrighted by Jeremy
Siek, (C) 1999-2001. * Software copyrighted by
Daryle Walker, (C) 2001. * Software copyrighted by
Chuck Allison and Jeremy Siek, (C) 2001, 2002.
* Software copyrighted by Samuel Krempp, (C) 2001.
See http://www.boost.org for updates, documentation,
and revision history. * Software copyrighted by Doug
Gregor (gregod@cs.rpi.edu), (C) 2001, 2002.
* Software copyrighted by Cadenza New Zealand Ltd.,
(C) 2000. * Software copyrighted by Jens Maurer,
(C) 2000, 2001. * Software copyrighted by Jaakko
Jrvi (jaakko.jarvi@cs.utu.fi), (C) 1999, 2000.
* Software copyrighted by Ronald Garcia, (C) 2002.
* Software copyrighted by David Abrahams, Jeremy
Siek, and Daryle Walker, (C) 1999-2001. * Software
copyrighted by Stephen Cleary (shammah@voyager.net),
(C) 2000. * Software copyrighted by Housemarque Oy
<http://www.housemarque.com>, (C) 2001. * Software
copyrighted by Paul Moore, (C) 1999. * Software
copyrighted by Dr. John Maddock, (C) 1998-2002.
* Software copyrighted by Greg Colvin and Beman
Dawes, (C) 1998, 1999. * Software copyrighted by
Peter Dimov, (C) 2001, 2002. * Software copyrighted
by Jeremy Siek and John R. Bandela, (C) 2001.
* Software copyrighted by Joerg Walter and Mathias
Koch, (C) 2000-2002. * Software copyrighted by
Carnegie Mellon University (C) 1989, 1991, 1992.
* Software copyrighted by Cambridge Broadband Ltd.,
(C) 2001-2003. * Software copyrighted by Sparta,
Inc., (C) 2003-2004. * Software copyrighted by
Cisco, Inc and Information Network Center of Beijing
University of Posts and Telecommunications, (C)
2004. * Software copyrighted by Simon Josefsson, (C)
2003. * Software copyrighted by Thomas Jacob, (C)
2003-2004. * Software copyrighted by Advanced
Software Engineering Limited, (C) 2004. * Software
copyrighted by Todd C. Miller, (C) 1998. * Software
copyrighted by The Regents of the University of
California, (C) 1990, 1993, with code derived from
software contributed to Berkeley by Chris Torek.



PATENTS
Protected by US Patents 6,006,035; 6,029,256;
6,035,423; 6,151,643; 6,230,288; 6,266,811;
6,269,456; 6,457,076; 6,496,875; 6,542,943;
6,594,686; 6,611,925; 6,622,150; 6,668,289;
6,697,950; 6,735,700; 6,748,534; 6,763,403;
6,763,466; 6,775,780; 6,851,058; 6,886,099;
6,898,712; 6,928,555; 6,931,540; 6,938,161;
6,944,775; 6,963,978; 6,968,461; 6,971,023;
6,973,577; 6,973,578.

DBN-004h-EN

V3.1.4
