|
|
Symantec United States
global sites
products and services
purchase
support
security response
downloads
about symantec
search
feedback
© 1995-2005 Symantec Corporation.
All rights reserved.
Legal Notices
Privacy Policy
security response
W32.Nimda.A@mm Removal Tool
===========================
Last Updated on: March 4, 2003 01:53:55 PM PST
Symantec has provided a fixtool to remove infections of
W32.Nimda.A@mm. To read the write-up, which describes this threat in
detail, click here.
Caution. Please read this first:
There are several variants of W32.Nimda in general circulation. Two of
the most common are:
* W32.Nimda.A@mm
* W32.Nimda.E@mm
Symantec Security Response has created separate removal tools for both
of these threats. The tools are not interchangeable. Before you can
use a removal tool, you must know which variant has infected the
computer. The tool that can be downloaded from this document is
designed to remove infections of W32.Nimda.A@mm. (Note the .A). It
will not remove infections of W32.Nimda.E@mm. If you need to remove a
W32.Nimda.E@mm infection, click here.
To obtain and run the W32.Nimda.A@mm tool:
NOTES:
* You must have administrative rights to run this tool on Windows
NT, Windows 2000, or Windows XP.
* If you are running the tool run on a Microsoft Exchange 2000
server, you must stop the Microsoft Exchange service so that the
tool does not try to scan the virtual M drive.
* The fixtool does not run on a Novell server. Infected files that
are on a Novell server cannot be repaired. The Novell server
itself will not be infected, but any files that are located on the
server can store the virus code. On Novell volumes, you must
delete any files that are detected as infected, and restore them
from a clean backup.
IMPORTANT! Please read:
If you experience either or both of the following:
* If after running the tool, programs such as Microsoft Word no
longer run.
* If when you run the tool you see a message similar to "The file
"not" is infected and *$#&#$*#@ repaired."
the Microsoft Windows file Riched20.dll file has been damaged by the
virus. You must replace this file, and in many cases, you will also
have to reinstall Word or Office. Please see the section How to
extract the Riched20.dll near the end of this document.
1. Click here to download the Fixnimda.com file from
http://securityresponse.symantec.com/avcenter/Fixnimda.com. Save
the file to a convenient location, such as your download folder or
the Windows desktop.
2. To check the authenticity of the digital signature, refer the
section The digital signature.
3. Close all running programs before running the tool.
4. If you are running Windows Me or XP, then disable System Restore.
Please refer to the section System Restore option in Windows Me/XP
for additional details.
NOTE: If you are running Windows Me/XP, we strongly recommend that
you do not skip this step.
5. Double-click the Fixnimda.com file to start the removal tool.
CAUTION: If you are on a network, you must apply the removal tool
on all computers, including servers.
6. Click Start to begin the process, and then allow the tool to run.
7. Symantec recommends running the tool until the system is reported
as clean.
8. If necessary, download the appropriate Microsoft patches to patch
vulnerable systems. These patches can be found here:
* http://www.microsoft.com/technet/security/bulletin/ms00-078.asp
* http://www.microsoft.com/technet/security/bulletin/MS01-020.asp
* http://www.microsoft.com/technet/security/bulletin/MS01-044.asp
9. If you are on a network or you have a full-time connection to the
Internet, disconnect the computer from the network and the
Internet. Disable or password protect file sharing before you
reconnect computers to the network or to the Internet. Because
this worm spreads by using shared folders on networked computers,
to ensure that the worm does not reinfect the computer after it
has been removed, Symantec suggests sharing with read-only access
or using password protection. For instructions on how to do this,
see your Windows documentation or the document How to configure
shared Windows folders for maximum network protection.
10. Restart the computer.
11. Run the fixtool again to insure that the system is clean.
12. Install the necessary Microsoft patches to patch the known
vulnerabilities.
13. Reconnect the clean system to the network or re-enable your
full-time internet connection.
14. If you are running Windows Me/XP, then re-enable System Restore.
15. Run LiveUpdate to make sure that you are using the most current
virus definitions.
NOTE: The removal procedure might be unsuccessful if Windows Me/XP
System Restore is not disabled as previously directed because
Windows prevents System Restore from being modified by outside
programs. Because of this, the removal tool might fail.
When the tool has finished running, you will see a message indicating
whether the computer was infected by the W32.Nimda.A@mm. In the case
of a removal of the worm, the program displays the following results:
* The total number of the scanned files.
* The number of deleted files.
* The number of repaired files.
* The number of viral processes terminated.
The digital signature
Fixnimda.com is digitally signed. Symantec recommends that you only
use copies of Fixnimda.com that have been downloaded directly from the
SARC download site. To check the authenticity of the digital
signature, follow these steps:
1. Go to http://www.wmsoftware.com/free.htm
2. Downlad and save the chktrust.exe file to the same folder where
you saved Fixnimda.com, for example, C:\Downloads.
3. Click Start, point to Programs, and click MS-DOS Prompt.
4. Change to the folder where Fixnimda.com and Chktrust.exe are
stored, and then type:
chktrust -i Fixnimda.com
For example, if you saved the file to the C:\Downloads folder:
cd\
cd downloads
chktrust -i Fixnimda.com
Press Enter after typing each command.
5. If the digital signature is valid, you will see the following
prompt:
Do you want to install and run "Nimda Fix Tool" signed on
10/9/2001 11:56 AM and distributed by Symantec Corporation.
NOTES:
* The date and time that are displayed in this dialog box will
be adjusted to your time zone if your computer is not set to
the Pacific time zone.
* If you are using Daylight Saving Time, the time that is
displayed will be exactly one hour earlier.
* If this dialog box does not appear, there are two possible
reasons:
* The tool is not from Symantec. Unless you are sure that
the tool is legitimate, and that you downloaded it from
the legitimate Symantec Web site, you should not run it.
* The tool is from Symantec, and is legitimate. However,
your operating system was previously instructed to always
trust content from Symantec. For information on this, and
how to view the confirmation dialog again, read the
document How to restore the Publisher Authenticity
confirmation dialog box.
6. Click Yes to close the dialog box.
7. Type exit and then press Enter. This will close the MS-DOS
session.
What the tool does
The W32.Nimda.A@mm fixtool will perform the following steps:
1. Terminates all processes associated with the virus.
2. Terminates Explorer.exe process and relaunches it. The virus
injects itself into Explorer.exe which makes this step necessary.
Because of this, you may see the desktop flash (this is expected
behavior).
3. Detects all types of W32.Nimda.A@mm infections. Repairs those
files that can be repaired. Deletes .eml, .nws, .doc and .txt
files that have been detected as infected.
NOTE: The tool will not delete .eml files in cases where the
extension is not one of the four mentioned above. For example, a
file with the double extension .eml.bad will not be deleted. You
must manually delete such files.
4. Repairs the System.ini file by removing the modifications made to
the shell= line.
5. Removes the guest account from the Administrator group and
disables the guest account in the Guests group.
6. Repairs multiple HTML infections.
7. Returns shared drives and folders to default security settings.
IMPORTANT NOTES:
* Windows NT/2000/XP. This tool will restore the original
security of Windows NT/2000/XP shares as long as the computer
has not been restarted since the virus was launched. The only
exception to this are shares that have Everyone [Full Control]
as the only rights on them - these cannot be distinguished
from shares that the virus has modified and they will be set
to Administrator Group [Full Control].
* Windows 95/98/Me. On Windows 95/98/Me computers, if the
computer has not been restarted, the tool will restore the
pre-infection security settings of the shares. If the computer
has been restarted, the tool will apply the following
settings:
* The "Win9x Share Read Write Password" will be applied to
shares with Access Type "Full"
* The "Win9x Share Read Only Password" will be applied to
shares with Access Type "Read-Only"
* Both passwords will be applied to shares with Access Type
"Depends on Password"
8. Deletes registry values which had been modified to prevent
Windows Explorer from showing hidden files or known file
extensions. Deleting these values resets them to their defaults.
You should reconfigure these options to their desired settings.
(To do this, in Windows Explorer, click the View menu (Windows
95/98/NT) or the Tools menu (Windows Me/2000), and then click
Options or Folder options. Change settings as desired.)
Command line switches available in this tool:
/NOFIXSHARE - will disable share repair (use of this switch is not
recommended).
/NOFIXREG - will disable registry repair (use of this switch is not
recommended).
/SILENT, /S - enables silent mode.
/LOG=pathname - creates a logfile where pathname is the location in
which to store the output of the tool.
/RWPWD=password - apply this password to Win9x Read Write Shares
/ROPWD=password - apply this password to Win9x Read Only Shares
CAUTION: Once a computer has been attacked by W32.Nimda.A@mm, it is
possible that your system has been accessed remotely by an
unauthorized user. For this reason it is impossible to guarantee the
integrity of a system that has had such an infection. The remote
user could have made changes to your system, including but not
limited to the following:
* Stealing or changing passwords or password files
* Installing remote-connectivity host software, also known as
backdoors
* Installing keystroke logging software
* Configuring of firewall rules
* Stealing of credit card numbers, banking information, personal
data, and so on
* Deletion or modification of files
* Sending of inappropriate or even incriminating material from a
customer's email account
* Modifying access rights on user accounts or files
* Deleting information from log files to hide such activities
If you need to be certain that your organization is secure, you must
reinstall the operating system, and restore files from a backup that
was made before the infection took place, and change all passwords
that may have been on the infected computers or that were accessible
from it. This is the only way to ensure that your systems are safe.
For more information regarding security in your organization,
contact your system administrator.
System Restore option in Windows Me/XP
Windows Me and Windows XP users should temporarily turn off System
Restore. This feature, which is enabled by default, is used by Windows
Me/XP to restore files on your computer in case they become damaged.
When a computer is infected with a virus, worm, or Trojan, it is
possible that the virus, worm, or Trojan could be backed up by System
Restore. By default, Windows prevents System Restore from being
modified by outside programs. As a result, there is the possibility
that you could accidentally restore an infected file, or that on-line
scanners would detect the threat in that location. For instructions on
how to turn off System Restore, read your Windows documentation or one
of the following articles:
* How to disable or enable Windows Me System Restore.
* How to disable or enable Windows XP System Restore.
For additional information, and an alternative to disabling Windows Me
System Restore, see the Microsoft Knowledge Base article Anti-Virus
Tools Cannot Clean Infected Files in the _Restore Folder, Article ID:
Q263455.
How to extract the Riched20.dll
If you see errors when you start programs such as Microsoft Word, or
the programs will not start, you need to extract the Riched20.dll
file. (As an alternative, you can reinstall the operating system and
the affected programs.)
Please see the instructions for your operating system.
NOTE: These instructions are provided for your convenience, and will
work on most computers. For additional information on extracting
files, including other Windows files that may have been damaged, read
one of the following:
* If you are using Microsoft Outlook 2002 or Microsoft Office 2002,
there is an easier way to do this. These programs have the ability
to replace the Riched20.dll file if you first rename it. For
instructions on how to do this, read the Microsoft Knowledge Base
article, OL2002: Outlook Stops Responding with Riched20.dll Error
Messages, Article ID: Q291651. The Microsoft Knowledge Base
article How to Extract Original Compressed Windows Files, Article
ID: Q129605
* How to extract files in Windows 98 and Windows Me.
Windows 95/98
You need to use the Extract command at a DOS prompt. Follow these
steps to do this, using the instructions for your operating system.
NOTES:
* You will need a Windows 98/Me startup disk. (If you are using
Windows 95, you will still need one that was created on a
Windows 98/Me computer). For instructions on how to create one,
see the document How to create a Windows Startup disk.
* Have the Windows installation CD available.
* When typing the command, substitute the appropriate drive letter
for your CD-ROM drive for the letter x. For example, if you are
using Windows 98, and the CD-ROM drive is the drive D, then you
would type
extract /a d:\win98\win98_28.cab riched20.dll /L
c:\windows\system
* If Windows is installed in a folder other than C:\Windows, then
substitute the appropriate path or folder name in the last part
of the command that refers to the \Windows folder.
* For detailed instructions on using the Extract command, see the
Microsoft document How to Extract Original Compressed Windows
Files, Article ID: Q129605.
* As a somewhat easier alternative to the following procedure, if
you are using Windows 98, then you can use the System File
Checker to restore the file. For information on how to do this,
see your Windows documentation.
1. Shut down the computer and turn off the power. Once the computer
is off, insert the Windows 98/Me Startup disk in the floppy disk
drive and turn the computer back on. At the menu, select Start
with CD-ROM support.
2. Type the command that applies to your operating system:
* If you are using Windows 98, then type the following and press
Enter:
extract /a d:\win98\win98_28.cab riched20.dll /L
c:\windows\system
* If you are using Windows 95, then type the following and press
Enter:
extract /a win95_10.cab riched20.dll /L c:\windows\system
NOTE: If you see an error message of any kind, then repeat step 2,
making sure that you typed the correct command for your operating
system and that you typed it exactly as shown. Otherwise, type exit
and then press Enter.
Windows NT 4.0
1. Make sure that Windows is configured to show all files.
2. Search for and then delete all Riched20.dll files.
3. Reapply the most recent service pack. The service pack will
replace the file with a new copy.
4. If, after replacing the Riched20.dll file, programs such as
Microsoft Word or Office no longer run, or you see error messages
when they start, you may have to reinstall Microsoft Office.
Windows 2000
If you are using Windows 2000, a built-in program will find and
replace missing or corrupt system files. To replace the corrupted
Riched20.dll, follow these steps:
1. Make sure System File Checker is enabled:
1. Click Start and then click Run.
2. Type cmd and click OK.
3. Type the following and then press Enter:
sfc /enable
4. Type exit and then press Enter.
2. Make sure that Windows is set to show all files:
1. Start Windows Explorer.
2. Click the Tools menu and then click Folder options.
3. Click the View tab.
4. Uncheck "Hide file extensions for known file types."
5. Uncheck "Hide protected operating system files" and under the
"Hidden files" folder, click "Show hidden files and folders."
6. Click Apply, and then click OK.
3. Search for Riched20.dll:
1. Click Start, point to Find or Search, and click Files or
Folders.
2. Make sure that "Look in" is set to (C) and that Include
subfolders is checked.
3. In the "Named" or "Search for..." box, type--or copy and
paste--the following file names:
riched20.dll
4. Click Find Now or Search Now.
5. Delete the files that are displayed.
4. Restart the computer.
5. System File Checker will replace any missing Riched20.dll files.
If, after replacing the Riched20.dll file, programs such as
Microsoft Word or Office no longer run, or you see error messages
when they start, you may have to reinstall Microsoft Office.
Write-up by: Peter Ferrie
tool
tool