Hi all
An easier way to remove the Nimda worm is to use the following file:
ftp://ftp.unicamp.br/pub2/apoio/windows9x/antivirus/antinimda.exe , which
detects and removes the worm.
An observation by the developer, deactivate the antivirus before using it.
The tool is truthful, since is being used by all brazilian universities that
had problems with the worm.
Hope this can help
Joao Rodrigo Coimbra
[EMAIL PROTECTED]
----- Original Message -----
From: Andrew Jones <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, September 20, 2001 11:46 AM
Subject: Removal of NIMDA worm
> Recieved from another list, relatied to Nimda worm.
>
> HTH!!
>
> I am not sure if anyone has posted this info yet but we were able to
> figure out how to remove the W32.Nimda.A@mm from Windows 95/98. So far
> it has been effective,
>
> 1) boot in DOS mode
> 2) edit system.ini file in c:\windows
> 3) look for this line
> shell= explorer.exe load.exe -donotloadold
>
> replace it with
>
> shell=explorer.exe
>
> 4) goto c:\windows\system
> 1) run attrib -s -h riched20.dll
> 2) run attrib -s -h load.exe
> 3) del riched20.dll, 56kb (check the date on it, if todays date
> delete it)
> 4) del load.exe
>
> Points to note:
>
> Win98 may backup system.ini in:
> c:\windows\sysbckup\rb000.cab (001.cab etc)
>
> which would contain the infected system.ini
>
> The worm will also place files in the temporary directory,
> with the extension .TMP, these files include load.exe (the worm),
>
> When rebooted, wininit.ini will rename these files and recreate load.exe,
> and also try to backup system.ini from the rb000.cab -- this will then
> start load.exe and restart the whole process. This got us 3 times until
we
> figured out what was happening.
>
> Along with riched20.dll, you also need to delete or restore MAPI.DLL,
> possibly winzip32.exe
>
> Other possible infected files to check (these may be Win2k only)
>
> winzip32.exe
> riched20.dll
> MAPI32.DLL
> MPR.DLL
> mmc.exe
> system.ini
> load.exe
>
> I pulled those out of the load.exe executable.
>
> c: readme main index default html .asp .htm \readme.eml
.exe
> mep
>
> The above line, in load.exe makes me assume that on an IIS box it will
> replace the default page with readme.eml
>
> Search the entire box for *.eml, *.nws, readme*.exe, load.exe and delete
all
> instances, search all network shares which are open to this box for *.eml,
> *.nws, readme*.exe, load.exe and any of the above files. Check their
dates
> and sizes against a clean box.
>
> The filenames for the EML and NWS files seem to be random files on the
> drive, but may be coming from a Recent Documents List.
>
> We've only had one infected computer, which was Win98, but it spread files
> to shares on Win2k, NT4 and Macintosh using the DAVE file sharing product.
> It also replaced riched20.dll on a seperate NT4 box.
>
>
>
> Andrew Jones
> Meggitt Petroleum Systems
> Tel +44 (0)2476 697417 (Switchboard)
> Fax +44 (0)2476 418210
> [EMAIL PROTECTED]
>
