***************************************************************************
FIX_NIMDA (version 1.22)
Trend Micro, Inc.
http://www.antivirus.com
***************************************************************************
I. File List
o FIX_NIMDA.EXE - fix tool for PE_NIMDA.A
o README_NIMDA.TXT - this readme file
o SLIDE.EXE - accompanying file to clean HTM/HTML/ASP files
(You need NOT run this file, FIX_NIMDA.EXE will
run this file automatically).
o SLIDE.DAT - data file used by SLIDE.EXE
II. How to Use
1. Turn off any antivirus software that is installed to avoid conflicts
that may occur while the tool is scanning the system.
2. Disconnect the system from the network to avoid reinfection
while the tool is scanning the system.
3. Place the 3 files (FIX_NIMDA.EXE, SLIDE.EXE, and SLIDE.DAT) in the same
directory.
4. Open a Command Prompt (MS-DOS Prompt) and proceed to the directory
where
the tool resides.
5. Run FIX_NIMDA.EXE.
6. Enable all antivirus software that is installed.
III. Description
This tool is designed to clean a system that was infected by
PE_NIMDA.A.
This tool will clean the system without having to boot using the
boot disk or emergency rescue disk (ERD).
When FIX_NIMDA.EXE is executed, it will perform the following steps:
o Terminate PE_NIMDA.A in memory
o Remove traces of PE_NIMDA.A in SYSTEM.INI file
o Scan all files on all fixed drives for infected executable and
EML files
o Clean all infected files except for mother files which are deleted
o Scan/clean all HTM/HTML/ASP files for PE_NIMDA.A by executing
SLIDE.EXE
This new version is also capable of unsharing any shared folders using the
/UNSHARE
command-line option and removing the GUEST user account in the Administrator
Group.
IV. Requirements
This tool is designed to run under Windows NT/2000 and Windows 9X/ME.
For this tool to execute properly under Windows NT/2000 it needs the
following DLL file:
o PSAPI.DLL
Be sure that this file is present in the "Winnt\system32" directory.
V. Notes
1. There are instances where the original mother file gets infected with
PE_NIMDA.A thereby detection would be PE_NIMDA.A. The file gets cleaned
and another scan of the file reveals that it is the non-cleanable original
mother file, which FIX_NIMDA.EXE will delete.
2. The tool will flag a file as PE_NIMDA.A-O when the file itself is an
exact copy of the worm in its original form. Thus, the tool will delete it.
VI. Known Issues
1. For WinME systems, deleted files are still in the System Restore folder
due to WinME's Restore feature. When an infected file is deleted, the
Restore folder of WinME will backup the file for future restoration. The
user must manually delete this file in the Restore folder.
2. While the virus drops an infected RICHED20.DLL file, normal Windows
systems also contain their own RICHED20.DLL. The normal RICHED20.DLL can be
infected by the virus and thus can still be used after cleaning. The other
RICHED20.DLL dropped by the virus should be deleted. So occasionally,
RICHED20.DLL files are deleted, and sometimes they are cleaned.
3. After rebooting, NT machines will restore the default shared IPC$.
4. Under NT 4.0, GUEST user is not disabled.
VII. History:
version 1.00 - first release
version 1.10 - restore original file attribute after cleaning
- bug correction on CALC.EXE cleaning
version 1.20 - support ASP scan/clean
- bug correction on Dr. Watson Error in NT
version 1.21 - support:
a. scan/clean of non-english
filename
b. unshare all shared folders
c. disable GUEST user
version 1.22 - disabled the automatic folders unsharing feature
- Added the /UNSHARE option
Assinantes em 24/09/2001: 2368
Mensagens recebidas desde 07/01/1999: 133698
Historico e [des]cadastramento: http://linux-br.conectiva.com.br
Assuntos administrativos e problemas com a lista:
mailto:[EMAIL PROTECTED]
