FPRIVATE "TYPE=PICT;ALT=Symantec" Symantec Security Response http://securityresponse.symantec.com W32.Nimda.E@mm Removal Tool Last Updated on: July 25, 2002 09:57:10 PM PDT Symantec has provided a tool to remove infections of W32.Nimda.E@mm. CAUTION: This tool is designed to remove infections of W32.Nimda.E@mm. It will not remove infections of W32.Nimda.A@mm. If you need to remove a W32.Nimda.A@mm infection, obtain the W32.Nimda.A@mm Removal Tool. What the tool does The W32.Nimda.E@mm Removal tool does the following: 1. Terminates all processes associated with the virus. 2. Terminates the Explorer.exe process and relaunches it. The virus injects itself into Explorer.exe, which makes this step necessary. Because of this, you may see the desktop flash (this is expected behavior). 3. Detects all types of W32.Nimda.E@mm infections. Repairs those files that can be repaired. Deletes .eml, .nws, .doc, and .txt files that have been detected as infected. NOTE: The tool will not delete .eml files in cases where the extension is not one of the four mentioned above. For example, a file with the double extension .eml.bad will not be deleted. You must manually delete such files. 4. Repairs the System.ini file by removing the modifications made to the shell= line. 5. Removes the guest account from the Administrator group and disables the guest account in the Guests group. 6. Repairs multiple HTML infections. 7. Returns shared drives and folders to default security settings. IMPORTANT NOTES: Windows NT/2000/XP: This tool will restore the original security of Windows NT/2000/XP shares as long as the computer has not been restarted since the virus was launched. The only exceptions to this are shares that have Everyone [Full Control] as the only rights on them; these cannot be distinguished from shares that the virus has modified, and they will be set to Administrator Group [Full Control]. Windows 95/98/Me: Under Windows 95/98/Me, if the computer has not been restarted, the tool will restore the pre-infection security settings of the shares. If the computer has been restarted, the tool will apply the following settings: The "Win9x Share Read Write Password" will be applied to shares with Access Type "Full." The "Win9x Share Read Only Password" will be applied to shares with Access Type "Read-Only." Both passwords will be applied to shares with Access Type "Depends on Password." Novell servers: The fixtool does not run on a Novell server. Infected files that are on a Novell server cannot be repaired. The Novell server itself will not be infected, but any files that are located on the server can store the virus code. On Novell volumes, you must delete any files that are detected as infected, and restore them from a clean backup. 8. Deletes registry values that were modified to prevent Windows Explorer from showing hidden files or known file extensions. Deleting these values resets them to their defaults. You should reconfigure these options to their desired settings. To do this in Windows Explorer, click the View menu (Windows 95/98/NT) or the Tools menu (Windows Me/2000), and then click Options or Folder options. Change settings as desired. 9. Scans mapped drives. Command-line switches available in this tool: /NOFIXSHARE - Disables share repair (use of this switch is not recommended). /NOFIXREG - Disables registry repair (use of this switch is not recommended). /SILENT, /S - Enables silent mode. /LOG= - Creates a log file where is the location in which to store the output of the tool. /RWPWD= - Applies this password to Windows 9x Read/Write Shares /ROPWD= - Apply this password to Windows 9x Read-Only Shares /MAPPED - Scans mapped network drives. CAUTION: Once a computer has been attacked by W32.Nimda.E@mm, it is possible that the system has been accessed remotely by an unauthorized user. For this reason it is impossible to guarantee the integrity of a system that has had such an infection. The remote user could have made changes to the system, including but not limited to the following: Stealing or changing passwords or password files Installing remote-connectivity host software, also known as backdoors Installing keystroke-logging software Configuring of firewall rules Stealing of credit card numbers, banking information, personal data, and so on Deletion or modification of files Sending of inappropriate or even incriminating material from a customer's email account Modifying access rights on user accounts or files Deleting information from log files to hide such activities If you need to be certain that your organization is secure, you must reinstall the operating system, and restore files from a backup that was made before the infection took place, and change all passwords that may have been on the infected computers or that were accessible from it. This is the only way to ensure that your systems are safe. For more information regarding security in your organization, contact your system administrator. To obtain and run the tool: NOTE: You must have administrative rights to run this tool on Windows NT, Windows 2000, or Windows XP. IMPORTANT! Please read: If you experience either or both of the following: After running the tool, programs such as Microsoft Word no longer run When you run the tool you see a message similar to "The file 'not' is infected and *$#&#$*#@ repaired" the Microsoft Windows file Riched20.dll file has been damaged by the virus. You must replace this file, and in many cases, you will also have to reinstall Word or Office. Please see the section How to extract the Riched20.dll near the end of this document. CAUTION! Please read before proceeding: Before you download the tool to a computer, Symantec Security Response strongly recommends that you disconnect the computer from the network. If possible, this should be a computer that is known not to be infected. This computer must have all security patches applied to it. Also, if possible, the tool and the patches should be copied to removable media, which should then be used to clean and update infected computers. 1. Download the FxNimdaE.com file from http://securityresponse.symantec.com/avcenter/FxNimdaE.com. Save the file to a convenient location, such as your download folder or the Windows desktop (or removable media that is known to be uninfected, if possible). 2. To check the authenticity of the digital signature, refer to the section The digital signature. 3. Close all running programs before running the tool. 4. If you are on a network or you have a full-time connection to the Internet, disconnect the computer from the network and the Internet. Disable or password protect file sharing before you reconnect computers to the network or to the Internet. Because this worm spreads by using shared folders on networked computers, to ensure that the worm does not reinfect the computer after it has been removed, Symantec suggests sharing with read-only access or using password protection. For instructions on how to do this, see your Windows documentation or the document How to configure shared Windows folders for maximum network protection. 5. If you are running Windows Me or XP, then disable System Restore. Please refer to the section System Restore option in Windows Me/XP for additional details. NOTE: If you are running Windows Me/XP, we strongly recommend that you do not skip this step. 6. Double-click the FxNimdaE.com file to start the removal tool. CAUTION: If you are on a network, you must apply the removal tool on all computers, including servers. 7. Click Start to begin the process, and then allow the tool to run. 8. IMPORTANT: Symantec recommends running the tool several times until the tool indicates that there are no more infections on the system. 9. If necessary, download the appropriate Microsoft patches to patch vulnerable systems. These patches can be found at the following Microsoft sites: http://www.microsoft.com/technet/security/bulletin/MS00-078.asp http://www.microsoft.com/technet/security/bulletin/MS01-020.asp http://www.microsoft.com/technet/security/bulletin/MS01-044.asp 10. Restart the computer. 11. Run the removal tool again to ensure that the system is clean. 12. Install the necessary Microsoft patches to patch the known vulnerabilities. 13. Reconnect the clean system to the network or re-enable your full-time Internet connection. 14. If you are running Windows Me/XP, then re-enable System Restore. 15. Run LiveUpdate to make sure that you are using the most current virus definitions. NOTE: The removal procedure might be unsuccessful if Windows Me/XP System Restore is not disabled as previously directed because Windows prevents System Restore from being modified by outside programs. Because of this, the removal tool might fail. When the tool has finished running, you will see a message indicating whether the computer was infected by the W32.Nimda.E@mm. In the case of a removal of the worm, the program displays the following results: The total number of the scanned files. The number of deleted files. The number of repaired files. The number of viral processes terminated. The digital signature Fixnimdae.com is digitally signed. Symantec recommends that you only use copies of Fixnimdae.com that have been downloaded directly from the Symantec Security Response (formerly SARC) download site. To check the authenticity of the digital signature, follow these steps: 1. Go to http://www.wmsoftware.com/free.htm 2. Download and save the chktrust.exe file to the same folder where you saved Fixnimdae.com (for example, C:\Downloads). 3. Click Start, point to Programs, and click MS-DOS Prompt. 4. Change to the folder where FxNimdaE.com and Chktrust.exe are stored, and then type chktrust -i FxNimdaE.com For example, if you saved the file to the C:\Downloads folder, you would enter the following commands: cd\ cd downloads chktrust -i FxNimdaE.com Press Enter after typing each command. 5. If the digital signature is valid, you will see the following: Do you want to install and run "FxNimdaE.com" signed on 11/2/2001 3:37 PM and distributed by Symantec Corporation. NOTES: The date and time that are displayed in this dialog box will be adjusted to your time zone if your computer is not set to the Pacific time zone. If you are using Daylight Saving time, the time that is displayed will be exactly one hour earlier. If this dialog box does not appear, there are two possible reasons: The tool is not from Symantec. Unless you are sure that the tool is legitimate, and that you downloaded it from the legitimate Symantec Web site, you should not run it. The tool is from Symantec, and is legitimate. However, your operating system was previously instructed to always trust content from Symantec. For information on this, and how to view the confirmation dialog again, read the document How to restore the Publisher Authenticity confirmation dialog box. 6. Click Yes to close the dialog box. 7. Type exit and then press Enter. This will close the MS-DOS session. System Restore option in Windows Me/XP Windows Me and Windows XP users should temporarily turn off System Restore. This feature, which is enabled by default, is used by Windows Me/XP to restore files on your computer in case they become damaged. When a computer is infected with a virus, worm, or Trojan, it is possible that the virus, worm, or Trojan could be backed up by System Restore. By default, Windows prevents System Restore from being modified by outside programs. As a result, there is the possibility that you could accidentally restore an infected file, or that on-line scanners would detect the threat in that location. For instructions on how to turn off System Restore, read your Windows documentation or one of the following articles: How to disable or enable Windows Me System Restore. How to disable or enable Windows XP System Restore. For additional information, and an alternative to disabling Windows Me System Restore, see the Microsoft Knowledge Base article Anti-Virus Tools Cannot Clean Infected Files in the _Restore Folder, Article ID: Q263455. How to extract the Riched20.dll If you see error messages when you start programs such as Microsoft Word, or if the programs will not start, you need to extract the Riched20.dll file. (As an alternative, you can reinstall the operating system and the affected programs.) Please see the instructions for your operating system. NOTE: These instructions are provided for your convenience and will work on most computers. For additional information on extracting files, including other Windows files that may have been damaged, read one of the following: If you are using Microsoft Outlook 2002 or Microsoft Office 2002, there is an easier way to do this. These programs have the ability to replace the Riched20.dll file if you first rename it. For instructions on how to do this, read the Microsoft Knowledge Base article, OL2002: Outlook Stops Responding with Riched20.dll Error Messages, Article ID: Q291651. To learn how to extract file in Windows 9x and Windows Me, see the Microsoft Knowledge Base article How to Extract Original Compressed Windows Files, Article ID: Q129605. Windows 95/98 You need to use the Extract command at a DOS prompt. Follow these steps to do this, using the instructions for your operating system. NOTES: You will need a Windows 98/Me startup disk. (If you are using Windows 95, you will still need one that was created on a Windows 98/Me computer). For instructions on how to create one, see the document How to create a Windows Startup disk. Have the Windows installation CD available. When typing the command, substitute the appropriate drive letter for your CD-ROM drive for the letter x. For example, if you are using Windows 98, and the CD-ROM drive is drive D, then you would type extract /a d:\win98\win98_28.cab riched20.dll /L c:\windows\system If Windows is installed in a folder other than C:\Windows, then substitute the appropriate path or folder name in the last part of the command that refers to the \Windows folder. For detailed instructions on using the Extract command, see the Microsoft document How to Extract Original Compressed Windows Files, Article ID: Q129605. As a somewhat easier alternative to the following procedure, if you are using Windows 98, then you can use the System File Checker to restore the file. For information on how to do this, see your Windows documentation. 1. Shut down the computer and turn off the power. Once the computer is off, insert the Windows 98/Me Startup disk in the floppy disk drive and turn the computer back on. At the menu, select "Start with CD-ROM support." 2. Type the command that applies to your operating system: If you are using Windows 98, then type the following and press Enter: extract /a d:\win98\win98_28.cab riched20.dll /L c:\windows\system If you are using Windows 95, then type the following and press Enter: extract /a win95_10.cab riched20.dll /L c:\windows\system NOTE: If you see an error message of any kind, then repeat step 2, making sure that you typed the correct command for your operating system and that you typed it exactly as shown. Otherwise, type exit and then press Enter. Windows NT 4.0 1. Make sure that Windows is configured to show all files. 2. Search for and delete all Riched20.dll files. 3. Reapply the most recent service pack. The service pack will replace the file with a new copy. 4. After replacing the Riched20.dll file, if programs such as Microsoft Word or Office no longer run, or you see error messages when they start, you may have to reinstall Microsoft Office. Windows 2000 If you are using Windows 2000, a built-in program will find and replace missing or corrupted system files. To replace the corrupted Riched20.dll, follow these steps: 1. Make sure System File Checker is enabled: a. Click Start, and click Run. b. Type cmd and click OK. c. Type the following and then press Enter: sfc /enable d. Type exit and then press Enter. 2. Make sure that Windows is configured to show all files: a. Start Windows Explorer. b. Click the Tools menu, and click Folder options. c. Click the View tab. d. Uncheck "Hide file extensions for known file types." e. Uncheck "Hide protected operating system files" and under the "Hidden files" folder, click "Show hidden files and folders." f. Click Apply, and then click OK. 3. Search for Riched20.dll: a. Click Start, point to Find or Search, and click Files or Folders. b. Make sure that "Look in" is set to (C) and that "Include subfolders" is checked. c. In the "Named" or "Search for..." box, type--or copy and paste--the following file name: riched20.dll d. Click Find Now or Search Now. e. Delete the files that are displayed. 4. Restart the computer. 5. System File Checker will replace any missing Riched20.dll files. If, after replacing the Riched20.dll file, programs such as Microsoft Word or Office no longer run, or you see error messages when they start, you may have to reinstall Microsoft Office. Write-up by: Andy Cianciotto