DISINFECTION INSTRUCTIONS
F-Secure Anti-Virus with the latest updates can detect and disinfect Nimda infections. But full disinfection of the worm will require some additional manual actions.
The F-NIMDA tool was developed to automate these actions. If you wish to do them by hand, follow the instructions below. Otherwise, download F-NIMDA from
ftp://ftp.f-secure.com/anti-virus/tools/fsnimda3.exe If you\'re running Windows ME, you need to turn off the Autorestore functionality before starting any disinfection. Do this by clicking My Computer on desktop, then Performance->File System ->Troubleshooting->Disable System Restore. Turn it back on when done.
To disinfect the worm and restore security of affected workstations, please follow these instructions:
1. Disable all network sharing or temporarily kill the network. This is a _must_ as the worm uses the network to spread itself.
2. Scan _all_ files (not just files with selected extensions) on all local hard drives and clean all infected EXE files using F-Secure Anti-Virus and the latest updates. It is recommended that you use one of the latest FSAV versions to remove infection.
3. Delete or rename (if not possible to delete instantly) all non-disinfectable or locked files including worm droppers (typically 57kB in size):
MMC.EXE (in Windows directory)
LOAD.EXE (in Windows\' system directory)
ADMIN.DLL (in root folder of all local hard drives)
RICHED20.DLL (in all folders on all local hard drives)
All *.EML and *.NWS files (typically 79kB in size) that are
detected as infected with Nimda should be deleted. Note that
you might have clean EML files as well, for example if you\'ve
saved e-mails to file from Outlook Express, so only delete
files that FSAV detects as infected.
If an infected file is locked by Windows, complete disinfection, exit to pure DOS or boot your system with a clean system diskette and rename/delete the file manually. In case of NT/2000 based system the locked file(s) should be renamed with a non-executable extension to ensure that it doesn\'t start when Windows is booted next time.
4. Restart a system. Do not connect it to the network yet. It is advised to scan all files on all local drives with FSAV again to ensure that there are no more infected files in a system.
5. Locate SYSTEM.INI file in your Windows directory and open it with Wordpad or Notepad. Replace the string \"shell=explorer.exe load.exe -donotloadold\" with \"shell=explorer.exe\" string.
6. Delete all files with .TMP extensions from your local temporary directories - typically \\Temp\\ or \\Windows\\Temp\\ or \\documents and settings\\username\\local settings\\temp.
7. Copy a clean RICHED20.DLL file to \\Windows\\System\\ or \\WinNT\\System32\\ folders. This DLL file is used by many applications and they won\'t run if this DLL is missing. You can locate a clean RICHED20.DLL file from a clean Windows machine, or extract it from Office 2000 CD with this command:
EXTRACT /A r:\\office1.cab riched20.dll /L c:\\windows\\system
8. Remove all shares from all local hard drives and renew these shares with correct access rights if needed. This needs to be done because the worm affects shares security. Check especially the \\\\localhost\\c$ share rights.
9. Remove \'Guest\' account and renew it with correct access rights and group placement (\'Guest\' account should not be in \'Administrators\' group).
10. Check all *.HTML, *.ASP, and *.HTM as well as files that have \'DEFAULT\', \'INDEX\', \'MAIN\' and \'README\' words in their filenames for the small JavaScript code referring to README.EML file and remove it or restore the affected files from a backup. This JavaScript code is located in the very end of affected files.
11. When cleaning a webserver from Nimda, the CodeRed II backdoor infections should be removed as well. Please refer to \'CodeRed\' description and cleaning instructions.
http://www.europe.f-secure.com/v-descs/bady.shtml 12. Correct Windows Explorer\'s settings concerning displaying of hidden files and certain extensions if necessary as the worm makes Explorer to hide certain files and extensions.
13. Restore network connections only after all workstations are disinfected or the worm will re-infected already clean computers!
Ny bruger
Nybegynder
Opret
Preview
