1. /
  2. Security Response/
  3. W32.Nimda.A@mm

W32.Nimda.A@mm - Removal

Risk Level 2: Low

Discovered:
September 18, 2001
Updated:
February 13, 2007 11:37:18 AM
Also Known As:
W32/Nimda@MM [McAfee], PE_NIMDA.A [Trend], I-Worm.Nimda [Kaspersky], W32/Nimda-A [Sophos], Win32.Nimda.A [Computer Associ
Type:
Worm, Virus
Systems Affected:
Microsoft IIS, Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
CVE References:
CVE-2000-0884 CVE-2001-0154

Symantec Security Response has posted a tool to remove the infections that W32.Nimda.A@mm caused.

NOTE: Once W32.Nimda.A@mma has attacked a computer, an unauthorized user may remotely access your system. For this reason, it is impossible to guarantee the integrity of a system that has had such an infection. The remote user could have made changes to your system, including but not limited to the following:
  • Stealing or changing passwords or password files
  • Installing remote-connectivity host software, also known as backdoors
  • Installing keystroke logging software
  • Configuring of firewall rules
  • Stealing of credit card numbers, banking information, personal data, and so on
  • Deleting or modifying files
  • Sending of inappropriate or even incriminating material from a customer's email account
  • Modifying access rights on user accounts or files
  • Deleting information from log files to hide such activities

If you need to be certain that your organization is secure, re-install the operating system and restore the files from a backup that was made before the infection took place, and then change all the passwords that may have been on the infected computers or that were accessible from it. This is the only way to ensure that your systems are safe. For more information regarding security in your organization, contact your system administrator.

Manual Removal Instructions
If you cannot obtain the removal tool, or if it does not work in your situation, follow these steps:
  1. Run LiveUpdate to make sure that you have the most recent virus definitions.
  2. Do one of the following:
    • If you are running Windows NT/2000/XP, skip to step 3.
    • If you are running Windows 95/98/Me, edit the System.ini file as follows:
      1. Click Start, and then click Run.
      2. Type the following, and then click OK:

        edit c:\windows\system.ini

        The MS-DOS Editor opens.

        NOTE: If Windows is installed in a different location, make the appropriate substitution.

      3. Locate the line that begins with shell=
      4. Position the cursor immediately to the right of the equal sign.
      5. Press Shift+End to select all the text to the right of the equal sign, and then press Delete.
      6. Type the following text:

        explorer.exe

        The line should now look like:

        shell=explorer.exe

        NOTE: Some computers may have an entry other than Explorer.exe after shell=. If this is the case and you are running an alternative Windows shell, change this line to shell=explorer.exe for now. You can change it back to your preferred shell after you have finished this procedure.

      7. Click File, click Exit, and then click Yes when you are prompted to save the changes.
  3. Restart the computer.

    NOTE: When your computer restarts, it is likely that infected files will be found. We recommend that you attempt to repair the infected file. Quarantine any file that is not repairable.
  4. Start Norton AntiVirus and make sure that it is configured to scan all the files. For more information, read the document, "How to configure Norton AntiVirus to scan all files."
  5. Scan your system with Norton AntiVirus. For more information, read the document, "How to run a full system scan with Norton AntiVirus."
  6. For each file detected as infected by W32.Nimda.A@mm or W32.Nimda.A@mm (html), choose Repair. Quarantine any file that is not repairable.
  7. For each file detected as infected by W32.Nimda.A@mm (dr), W32.Nimda.enc, or W32.Nimda.A@mm (dll), choose Delete.
  8. Restore Admin.dll and Riched20.dll from a backup, or from the Microsoft Windows or Office .cab files if necessary.
  9. Remove unnecessary shares.
  10. Delete the guest account from the Administrators group, if applicable.

System Restore option in Windows Me/XP
Windows Me and Windows XP users should temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore files on your computer in case they become damaged. When a computer is infected with a virus, worm, or Trojan, it is possible that the virus, worm, or Trojan could be backed up by System Restore. By default, Windows prevents System Restore from being modified by outside programs. As a result, there is the possibility that you could accidentally restore an infected file, or that online scanners could detect the threat in that location.

For instructions on how to turn off System Restore, read your Windows documentation or one of the following articles:
For additional information, and an alternative to disabling Windows Me System Restore, see the Microsoft Knowledge Base article Anti-Virus Tools Cannot Clean Infected Files in the _Restore Folder, Article ID: Q263455.

    How to extract the Riched20.dll
    If you see errors when you start programs such as Microsoft Word, or the programs will not start, you need to extract the Riched20.dll file. (As an alternative, you can re-install the operating system and the affected programs.)

    See the instructions for your operating system.

    NOTE: These instructions are provided for your convenience, and will work on most computers. For additional information on extracting files, including other Windows files that may have been damaged, read one of the following: Windows 95/98
    You need to use the Extract command at a DOS prompt. Follow these steps to do this, using the instructions for your operating system.

      NOTES:
      • You will need a Windows 98/Me startup disk. (If you are using Windows 95, you will still need one that was created on a Windows 98/Me computer). For instructions on how to create one, see the document, "How to create a Windows Startup disk."
      • Have the Windows installation CD available.
      • When typing the command, substitute the appropriate drive letter for your CD-ROM drive for the letter x. For example, if you are using Windows 98, and the CD-ROM drive is the drive D, then you would type

        extract /a d:\win98\win98_28.cab riched20.dll /L c:\windows\system

      • If Windows is installed in a folder other than C:\Windows, then substitute the appropriate path or folder name in the last part of the command that refers to the \Windows folder.
      • For detailed instructions on using the Extract command, see the Microsoft document, "How to Extract Original Compressed Windows Files," Article ID: Q129605.
      • As a somewhat easier alternative to the following procedure, if you are using Windows 98, then you can use the System File Checker to restore the file. For information on how to do this, see your Windows documentation.
    1. Shut down the computer and turn off the power. Once the computer is off, insert the Windows 98/Me Startup disk in the floppy disk drive and turn on the computer again. At the menu, select Start with CD-ROM support.
    2. Type the command that applies to your operating system:
      • If you are using Windows 98, then type the following and press Enter:

        extract /a d:\win98\win98_28.cab riched20.dll /L c:\windows\system
      • If you are using Windows 95, then type the following and press Enter:

        extract /a win95_10.cab riched20.dll /L c:\windows\system

      NOTE: If you see an error message of any kind, then repeat step 2, making sure that you typed the correct command for your operating system and that you typed it exactly as shown. Otherwise, type exit, and then press Enter.



    Windows NT 4.0
    1. Make sure that Windows is configured to show all the files.
    2. Search for and then delete all the Riched20.dll files.
    3. Re-apply the most recent service pack. The service pack will replace the file with a new copy.
    4. If, after replacing the Riched20.dll file, programs such as Microsoft Word or Office no longer run, or you see error messages when they start, you may have to re-install Microsoft Office.


    Windows 2000
    If you are using Windows 2000, a built-in program will find and replace missing or corrupt system files. To replace the corrupted Riched20.dll, follow these steps:
    1. Make sure System File Checker is enabled:
      1. Click Start, and then click Run.
      2. Type cmd, and then click OK.
      3. Type the following, and then press Enter:

        sfc /enable
      4. Type exit, and then press Enter.
    2. Make sure that Windows is set to show all the files:
      1. Start Windows Explorer.
      2. Click the Tools menu, and then click Folder options.
      3. Click the View tab.
      4. Uncheck "Hide file extensions for known file types."
      5. Uncheck "Hide protected operating system files" and under the "Hidden files" folder, click "Show hidden files and folders."
      6. Click Apply, and then click OK.
    3. Search for Riched20.dll:
      1. Click Start, point to Find or Search, and then click Files or Folders.
      2. Make sure that "Look in" is set to (C) and that Include subfolders is checked.
      3. In the "Named" or "Search for..." box, type or copy and paste the following filenames:

        riched20.dll

      4. Click Find Now or Search Now.
      5. Delete the displayed files.
    4. Restart the computer.
    5. System File Checker will replace any missing Riched20.dll files. If, after replacing the Riched20.dll file, programs such as Microsoft Word or Office no longer run, or you see error messages when they start, you may have to re-install Microsoft Office.


    Writeup By: Eric Chien

    Search Threats

    Search by name
    Example: W32.Beagle.AG@mm
    STAR Antimalware Protection Technologies
    Internet Security Threat Report, Volume 17
    Symantec DeepSight Screensaver