NimdaScn.exe v1.0f - W32/Nimda@MM Standalone Remover Copyright (c) 2001 Networks Associates, Inc. All Rights Reserved. ================================================================== NOTES: This is a command line tool for Win9x/ME/NT/2000. It is designed to remove an active W32/Nimda@MM infection from the local system. To prevent reinfection, update your DAT files, and perform the steps outlined here. Prior to scanning the following Microsoft patches should be applied. *** All end users and administrators running Microsoft Internet Explorer (ver 5.01 or 5.5 without SP2), are advised to install this Microsoft patch for the "Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability" - http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-020.asp *** All IIS administrators (and Win2K users who may not know they are running IIS), who haven't already done so, should also install the "August 15, 2001 Cumulative Patch for IIS". - http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-044.asp W32/Nimda@MM can also infect via a backdoor opened by the W32/CodeRed.c worm. To ensure that this hole is enabling W32/Nimda@MM, use this Microsoft tool to "eliminate the obvious effects of the Code Red II worm" - http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutions/security/tools/redfix.asp *** AVERT also recommends that you disconnect from the network and terminate all other applications prior to cleaning. WHAT IT DOES: ============= 1) Terminates all W32/Nimda@MM viral processes from memory 2) Scans the specified directory and all subdirectories for infected files NOTE: The root directory of each local drive should always be targeted for the most effective repair 3) Repairs all W32/Nimda@MM files found 4) Removes all hidden open shares 5) Removes registry keys created by the worm: "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Network\LanMan\C-Z$" 6) Removes the GUEST user account from the ADMINISTRATORS group in WinNT/2K 7) Removes the "LOAD.EXE -dontrunold" command from the SYSTEM.INI files under Win9x/ME INSTRUCTIONS: ============= USAGE: NimdaScn [/silent|/verbose] - Directory to scan /silent - no output /verbose - maximum output ie. nimdascn c:\*.* To generate a log file, use the following syntax: NIMDASCN /verbose > ie. nimdascn c:\*.* /verbose > c:\report.txt REQUIRED FILES PROVIDED IN THIS PACKAGE: ======================================== NIMDASCN.EXE CLEAN.DAT NAMES.DAT SCAN.DAT MCSCAN32.DLL RWABS16.DLL RWABS32.DLL VERSION HISTORY: ======================================== v1.0f: - All W32/Nimda@MM viral processes are terminated from memory prior to scanning NOTE: This removes the need for a second scan and removes the virus in a multidisk environment v1.0e: - Updated DAT files to clean certain infected executable files - A second scan takes place to confirm that all files are repaired properly v1.0d: - Initial Release CONTACT INFORMATION: ======================================== Please direct any comments, or questions regarding Nimdascn to virus_research@nai.com, and use the subject line StandAlone.