Removal of NIMDA worm

Thu, 20 Sep 2001 16:04:24 -0700 

Recieved from another list, relatied to Nimda worm.

HTH!!

I am not sure if anyone has posted this info yet but we were able to
figure out how to remove the W32.Nimda.A@mm from Windows 95/98. So far
it has been effective,

1) boot in DOS mode
2) edit system.ini file in c:\windows
3) look for this line
        shell= explorer.exe load.exe -donotloadold

replace it with

        shell=explorer.exe

4) goto c:\windows\system
        1) run attrib -s -h riched20.dll
        2) run attrib -s -h load.exe
        3) del riched20.dll, 56kb (check the date on it, if todays date
delete it)
        4) del load.exe

Points to note:

Win98 may backup system.ini in:
c:\windows\sysbckup\rb000.cab (001.cab etc)

which would contain the infected system.ini

The worm will also place files in the temporary directory,
with the extension .TMP, these files include load.exe (the worm),

When rebooted, wininit.ini will rename these files and recreate load.exe,
and also try to backup system.ini from the rb000.cab -- this will then
start load.exe and restart the whole process.  This got us 3 times until we
figured out what was happening.

Along with riched20.dll, you also need to delete or restore MAPI.DLL,
possibly winzip32.exe

Other possible infected files to check (these may be Win2k only)

winzip32.exe
riched20.dll
MAPI32.DLL
MPR.DLL
mmc.exe
system.ini
load.exe

I pulled those out of the load.exe executable.

c:  readme  main    index   default html    .asp    .htm    \readme.eml .exe
mep

The above line, in load.exe makes me assume that on an IIS box it will
replace the default page with readme.eml

Search the entire box for *.eml, *.nws, readme*.exe, load.exe and delete all
instances, search all network shares which are open to this box for *.eml,
*.nws, readme*.exe, load.exe and any of the above files.  Check their dates
and sizes against a clean box.

The filenames for the EML and NWS files seem to be random files on the
drive, but may be coming from a Recent Documents List.

We've only had one infected computer, which was Win98, but it spread files
to shares on Win2k, NT4 and Macintosh using the DAVE file sharing product.
It also replaced riched20.dll on a seperate NT4 box.



Andrew Jones
Meggitt Petroleum Systems
Tel +44 (0)2476 697417 (Switchboard)
Fax +44 (0)2476 418210
[EMAIL PROTECTED]

Reply via email to