 Release Notes for McAfee Rootkit Detective Beta Version 1.0
                    Developed by
                McAfee Avert Labs
  Copyright  2005-2006 McAfee, Inc. All Rights Reserved
  You use of the McAfee Rootkit Detective is subject to the
  Beta Software License terms at the end of this document.

 ===========================================================

Thank you for using McAfee Rootkit Detective beta
Software. This file contains important information
regarding this release. We strongly recommend that
you read the entire document.

We are pleased to offer this build to you for testing.
This is a beta build and is still under ongoing development.
This build gives you an opportunity to test and report any issue
you see in your environment.


    IMPORTANT:
    McAfee Avert strongly recommends that you use
    any pre-release software (beta or release
    candidate) in a test environment only.
    Pre-release software should NOT be installed in
    a production environment.

    As there is no support for automatic upgrading of 
    this version of the software, you need to download
    the latest beta release, a release candidate, or a 
    production release of the software manually by 
    downloading directly from the Website.


__________________________________________________________
WHAT'S IN THIS FILE

-   Introduction
-   Scope of this Beta Release
-   Features
-   Installation & System Requirements
-   Supported Products
-   Beta Known Issues
-   Documentation
-   Contact Information
-   Copyright, Trademark Attributions & Patents
   -   Trademarks
   -   License Agreement and Attributions
   -   Patents


__________________________________________________________

INTRODUCTION 
    McAfee Rootkit Detective is a program designed and developed by McAfee Avert Labs to proactively detect and clean
    rootkits that are running in the system.
    
SCOPE OF THIS BETA RELEASE

This beta version of McAfee Avert Rootkit Detective Beta 1.0

-   Does not have an expiry. This build is not recommended to be used
    when a new version is released.

-   Works on all supported platforms.(Refer to Installation and System requirements)

For additional information or feedback about the Rootkit Detective 1.0 please contact stinger@avertlabs.com


FEATURES

    Following are the features of this program that are designed to proactively detect and clean rootkits from 
    the system. This program is not dependent on any signatures and can proactively detect most of the existing 
    and upcoming rootkits and allow the user to clean them.
    
    1. Designed to proactively detect the system objects like processes, files and registry 
       that are hidden to the user. 
    2. Provides information about all running processes in the system. 
    3. Provides information about various system hooks like SSDT(System Service Descriptor Table) hooks, 
       user/kernel IAT/EAT(Import/Export Address Table) hooks. 
    4. Allows the user to clean/remove the malicious objects from the system by renaming/deleting the hidden 
       files/registry. 
    5. Allows the user to terminate the malicious processes.
    6. Users can submit samples using the submission feature present in the tool.
    7. Users can also collect the samples manually after renaming them and submit to stinger@avertlabs.com for further analysis.
     
    
Rootkit stinger log file contains details of the hidden files. The files once renamed after reboot will have a .REN extension.
User can search for the same on the system and can submit these files for further analysis with your comments to stinger@avertlabs.com.
Zip the files and password protect with infected and mention Rootkit Detective in the subject line when you send the mail.


__________________________________________________________
INSTALLATION AND SYSTEM REQUIREMENTS

This package is a zip file and contains the following files in it.

1. Rootkit_Detective.exe - This file is the single and main executable that detects and cleans rootkits.
2. Readme.txt - This file contains all the information about the program.

You need to extract this zip file in the system with any unzipping program and run the main file. 
Please read the Readme.txt before using this program. This tool only runs in Administrator mode. 
You should run this program by logging in as Administrator user or any user having the Administrator rights.

The following platforms are currently supported. The OS Language supported is English for all supported platforms.

Operating Systems supported:
- Windows XP Home Edition with SP2
- Windows XP Professional Edition with SP2
- Windows 2000 with SP4
- Windows 2000 Server 
- Windows 2003 Server SP1

__________________________________________________________
SUPPORTED PRODUCTS

This tool has been tested for compatibility against the following products

1. McAfee Virus Scan Enterprise 8.0i
2. McAfee Virus Scan Online 11
3. F-Secure Internet Security Suite 2006
4. Kaspersky Internet Security 2006
5. CA eTrust Internet Security Suite
6. TrendPC-Cillin Internet Security 2006
7. AVG Anti-Virus plus Firewall 7.1
8. TrendPC-Cillin Internet Security 2006
9. Sygate Personal Firewall
10. Norton Antivirus 2006
11. McAfee Antispyware Enterprise 8.0
12. MASE Plugin for VSE8.0i
13. Zone Alarm
14. McAfee Virus scan Enterprise 8.5i
15. Microsoft Windows OneCare

In case you experience any issues with the above or any other AV or Firewall Products please send as e-mail to the 
mail ID specified in the contact information section.


__________________________________________________________
BETA KNOWN ISSUES

-  This tool will detect registry entries pertaining to McAfee Entercept Products if installed on your system.
-  This tool will detect mfehidk.sys file pertaining to McAfee Antispyware Enterprise (Standalone) as a hooked service.
-  This tool will detect IAT/EAT hooks in Windows 2000 SP4 system pointing to shim.dll.
-  This tool will detect vsdatant.sys from Zone Alarm as hooked service for rootkit like behavior.
-  This tool will detect Goback2k.sys as hooked service on system having Go Back software installed system for rootkit like behavior.
-  This tool will detect fsndis5.sys as hooked service from F-Secure if F-Secure Internet Security Suite 2006 is installed on the system
-  This tool will detect klif.sys as hooked service from Kaspersky if Kaspersky Internet Security 2006 is installed on the system.
-  This tool will detect FireTDS.sys as hooked service from McAfee if McAfee Desktop Firewall is installed on the system.
-  This tool will detect Hidsys.sys as hooked service from McAfee if McAfee Host Intrusion Prevention is installed on the system.
-  This tool will detect Service Name ZwCreateThread when VSE product is installed on the system.
-  This tool will not run on Windows 2000 platforms when Kaspersky Internet Security 2006 is installed.
-  This tool will detect many IAT/EAT hooks and SSDT hooks of legitimate applications.

NOTE:  Some or all of the above issues may be addressed in the future releases.

__________________________________________________________
DOCUMENTATION

-   Help Link in the tool.
    A Help file, accessed from within the tool,
    provides quick access to concepts,
    definitions, and procedures for using the
    tool. 


-   This README file.


_________________________________________________________
CONTACT INFORMATION

THREAT CENTER:  McAfee(r) Avert(r) Labs
    Home Page
       http://www.mcafee.com/us/threat_center/default.asp

    Avert Labs Threat Library
       http://vil.nai.com/

    Avert WebImmune & Submit a Sample (Logon
    credentials required)
       https://www.webimmune.net/default.asp

    Avert DAT Notification Service
       http://vil.nai.com/vil/signup_DAT_notification.aspx

Contact stinger@avertlabs.com for any queries

McAfee Avert is devoted to providing solutions based on your input.


_____________________________________________________
LEGAL INFORMATION


BETA SOFTWARE LICENSE

BY DOWNLOADING AND INSTALLING THE MCAFEE ROOTKIT DETECTIVE (the "SOFTWARE"),
YOU AGREE TO BE BOUND BY THE TERMS AND CONDITIONS OF THIS SOFTWARE 
LICENSE AGREEMENT.  IF YOU DO NOT AGREE WITH THESE TERMS AND CONDITIONS, 
THEN UNINSTALL THIS SOFTWARE PRODUCT AND DELETE ALL COPIES.

You, conditioned upon accepting these terms, is hereby granted a 
non-exclusive, non-transferable, non-royalty bearing license to copy, and 
install the Software for your internal use only.  You are NOT allowed to: 
(1) reverse engineer or otherwise attempt to discover the Software's source code;
(2) sell, assign, sublicense, rent, share or otherwise distribute the Software to 3rd parties; or
(3) Use, copy, print or display the McAfee logo in connection with your use of the Software.

THE SOFTWARE IS PROVIDED AS-IS, WITH NO WARRANTY WHATSOEVER, EXPRESS OR IMPLIED.
THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND 
NON-INFRINGEMENT ARE SPECIFICALLY DISCLAIMED.  

McAfee reserves the right to terminate your license at any time for any reason, or even 
for no reason.  


TRADEMARKS

ACTIVE FIREWALL, ACTIVE SECURITY, ACTIVESECURITY
(AND IN KATAKANA), ACTIVESHIELD, CLEAN-UP, DESIGN
(STYLIZED E), DESIGN (STYLIZED N), ENTERCEPT,
EPOLICY ORCHESTRATOR, FIRST AID, FOUNDSTONE,
GROUPSHIELD, GROUPSHIELD (AND IN KATAKANA),
INTRUSHIELD, INTRUSION PREVENTION THROUGH
INNOVATION, MCAFEE, MCAFEE (AND IN KATAKANA), MCAFEE
AND DESIGN, MCAFEE.COM, MCAFEE VIRUSSCAN, NET TOOLS,
NET TOOLS (AND IN KATAKANA), NETSCAN, NETSHIELD,
NUTS & BOLTS, OIL CHANGE, PRIMESUPPORT, SPAMKILLER,
THREATSCAN, TOTAL VIRUS DEFENSE, VIREX, VIRUS FORUM,
VIRUSCAN, VIRUSSCAN, VIRUSSCAN (AND IN KATAKANA),
WEBSCAN, WEBSHIELD, WEBSHIELD (AND IN KATAKANA) are
registered trademarks or trademarks of McAfee, Inc.
and/or its affiliates in the US and/or other
countries. The color red in connection with security
is distinctive of McAfee brand products. All other
registered and unregistered trademarks herein are
the sole property of their respective owners.


_____________________________________________________
3rd PARTY OPEN SOURCE SOFTWARE AND PATENT INFORMATION

LICENSE ATTRIBUTIONS

This product includes or may include:
*Software developed by the OpenSSL Project for use
in the OpenSSL Toolkit (http://www.openssl.org/).
*Cryptographic software written by Eric A. Young
and software written by Tim J. Hudson. *Some
software programs that are licensed (or sublicensed)
to the user under the GNU General Public License
(GPL) or other similar Free Software licenses which,
among other rights, permit the user to copy, modify
and redistribute certain programs, or portions
thereof, and have access to the source code. The GPL
requires that for any software covered under the
GPL, which is distributed to someone in an
executable binary format, that the source code also
be made available to those users. For any such
software covered under the GPL, the source code is
made available on this CD. If any Free Software
licenses require that McAfee provide rights to use,
copy or modify a software program that are broader
than the rights granted in this agreement, then such
rights shall take precedence over the rights and
restrictions herein. *Software originally written
by Henry Spencer, Copyright 1992, 1993, 1994, 1997
Henry Spencer. *Software originally written by
Robert Nordier, Copyright (C) 1996-7 Robert Nordier.
*Software written by Douglas W. Sauder. *Software
developed by the Apache Software Foundation
(http://www.apache.org/). A copy of the license
agreement for this software can be found at
www.apache.org/licenses/LICENSE-2.0.txt.
*International Components for Unicode ("ICU")
Copyright (C)1995-2002 International Business
Machines Corporation and others. *Software
developed by CrystalClear Software, Inc., Copyright
(C)2000 CrystalClear Software, Inc. *FEAD(R)
Optimizer(R) technology, Copyright Netopsystems AG,
Berlin, Germany. *Outside In(R) Viewer Technology
(C)1992-2001 Stellent Chicago, Inc. and/or Outside
In(R) HTML Export, (C) 2001 Stellent Chicago, Inc.
*Software copyrighted by Thai Open Source Software
Center Ltd. and Clark Cooper, (C) 1998, 1999, 2000.
*Software copyrighted by Expat maintainers.
*Software copyrighted by The Regents of the
University of California, (C) 1996, 1989, 1998-2000.
*Software copyrighted by Gunnar Ritter. *Software
copyrighted by Sun Microsystems, Inc., 4150 Network
Circle, Santa Clara, California 95054, U.S.A., (C)
2003. *Software copyrighted by Gisle Aas. (C)
1995-2003. *Software copyrighted by Michael A.
Chase, (C) 1999-2000. *Software copyrighted by Neil
Winton, (C)1995-1996. *Software copyrighted by RSA
Data Security, Inc., (C) 1990-1992. *Software
copyrighted by Sean M. Burke, (C) 1999, 2000.
*Software copyrighted by Martijn Koster, (C) 1995.
*Software copyrighted by Brad Appleton, (C)
1996-1999.  *Software copyrighted by Michael G.
Schwern, (C)2001. *Software copyrighted by Graham
Barr, (C) 1998. *Software copyrighted by Larry Wall
and Clark Cooper, (C) 1998-2000. *Software
copyrighted by Frodo Looijaard, (C) 1997. *Software
copyrighted by the Python Software Foundation,
Copyright (C) 2001, 2002, 2003. A copy of the
license agreement for this software can be found at
www.python.org. *Software copyrighted by Beman
Dawes, (C) 1994-1999, 2002. *Software written by
Andrew Lumsdaine, Lie-Quan Lee, Jeremy G. Siek (C)
1997-2000 University of Notre Dame. *Software
copyrighted by Simone Bordet & Marco Cravero, (C)
2002. *Software copyrighted by Stephen Purcell, (C)
2001. *Software developed by the Indiana University
Extreme! Lab (http://www.extreme.indiana.edu/).
*Software copyrighted by International Business
Machines Corporation and others, (C) 1995-2003.
*Software developed by the University of
California, Berkeley and its contributors.
*Software developed by Ralf S. Engelschall
<rse@engelschall.com> for use in the mod_ssl project
(http:// www.modssl.org/). *Software copyrighted by
Kevlin Henney, (C) 2000-2002. *Software copyrighted
by Peter Dimov and Multi Media Ltd. (C) 2001, 2002.
*Software copyrighted by David Abrahams, (C) 2001,
2002. See http://www.boost.org/libs/bind/bind.html
for documentation. *Software copyrighted by Steve
Cleary, Beman Dawes, Howard Hinnant & John Maddock,
(C) 2000. *Software copyrighted by Boost.org, (C)
1999-2002. *Software copyrighted by Nicolai M.
Josuttis, (C) 1999. *Software copyrighted by Jeremy
Siek, (C) 1999-2001. *Software copyrighted by
Daryle Walker, (C) 2001. *Software copyrighted by
Chuck Allison and Jeremy Siek, (C) 2001, 2002.
*Software copyrighted by Samuel Krempp, (C) 2001.
See http://www.boost.org for updates, documentation,
and revision history. *Software copyrighted by Doug
Gregor (gregod@cs.rpi.edu), (C) 2001, 2002.
*Software copyrighted by Cadenza New Zealand Ltd.,
(C) 2000. *Software copyrighted by Jens Maurer,
(C)2000, 2001. *Software copyrighted by Jaakko
Jrvi (jaakko.jarvi@cs.utu.fi), (C)1999, 2000.
*Software copyrighted by Ronald Garcia, (C) 2002.
*Software copyrighted by David Abrahams, Jeremy
Siek, and Daryle Walker, (C)1999-2001. *Software
copyrighted by Stephen Cleary (shammah@voyager.net),
(C)2000. *Software copyrighted by Housemarque Oy
<http://www.housemarque.com>, (C) 2001. *Software
copyrighted by Paul Moore, (C) 1999. *Software
copyrighted by Dr. John Maddock, (C) 1998-2002.
*Software copyrighted by Greg Colvin and Beman
Dawes, (C) 1998, 1999. *Software copyrighted by
Peter Dimov, (C) 2001, 2002. *Software copyrighted
by Jeremy Siek and John R. Bandela, (C) 2001.
*Software copyrighted by Joerg Walter and Mathias
Koch, (C) 2000-2002. *Software copyrighted by
Carnegie Mellon University (C) 1989, 1991, 1992.
*Software copyrighted by Cambridge Broadband Ltd.,
(C) 2001-2003. *Software copyrighted by Sparta,
Inc., (C) 2003-2004. *Software copyrighted by
Cisco, Inc and Information Network Center of Beijing
University of Posts and Telecommunications, (C)
2004. *Software copyrighted by Simon Josefsson, (C)
2003. *Software copyrighted by Thomas Jacob, (C)
2003-2004. *Software copyrighted by Advanced
Software Engineering Limited, (C) 2004. *Software
copyrighted by Todd C. Miller, (C) 1998. *Software
copyrighted by The Regents of the University of
California, (C) 1990, 1993, with code derived from
software contributed to Berkeley by Chris Torek.



PATENTS
Protected by US Patents 6,006,035; 6,029,256;
6,035,423; 6,151,643; 6,230,288; 6,266,811;
6,269,456; 6,457,076; 6,496,875; 6,542,943;
6,594,686; 6,611,925; 6,622,150; 6,668,289;
6,697,950; 6,735,700; 6,748,534; 6,763,403;
6,763,466; 6,775,780; 6,851,058; 6,886,099;
6,898,712; 6,928,555; 6,931,540; 6,938,161;
6,944,775; 6,963,978; 6,968,461; 6,971,023;
6,973,577; 6,973,578.

DBN-004h-EN

V3.1.4
