W32.BleBla.J.Worm - Removal

NOTE: These instructions are for all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

1. Restart the computer in Safe mode.
2. Configure Windows to show all files.
3. Find and delete the files that the worm saved to the hard drive.
4. At a command prompt, copy Regedit.exe to Regedit.com.
5. Edit the registry, and undo the changes that the worm made.
6. Restart the computer, run LiveUpdate, and then run a full system scan.

For details on how to do this, read the following instructions.

To restart the computer in Safe mode:
All 32-bit versions of Windows (except Windows NT) can be restarted in Safe mode. For instructions on how to do this, read the document How to start the computer in Safe Mode.

To configure Windows to show all files:

1. Start Windows Explorer.
2. Click the View menu (Windows 95/98/NT) or the Tools menu (Windows Me/2000/XP), and then click Options or Folder options.
3. Click the View tab.
4. Uncheck "Hide file extensions for known file types."
5. Do one of the following:
   • Windows 95/NT: Click "Show all files."
   • Windows 98: In the Advanced settings box, under the "Hidden files" folder, click Show all files.
   • Windows Me/2000/XP: Uncheck "Hide protected operating system files," and under the "Hidden files" folder, click "Show hidden files and folders."
6. Click Apply, and then click OK.

To find and delete the files that the worm saved to the hard drive:
Follow the instructions for the version of Windows that you are running:

Windows 95/98/Me/NT/2000

1. Click Start, point to Find or Search, and then click Files or Folders.
2. Make sure that "Look in" is set to (C:) and that "Include subfolders" is checked.
3. In the "Named" or "Search for..." box, type--or copy and paste--the following file names:
   
   sysmel32, sysmel32.exe, melh*.*
   
4. Click Find Now or Search Now.
5. Delete each file, and click Yes if you are prompted to confirm its deletion.
6. Click New or New Search.
7. In the "Named" or "Search for..." box, type--or copy and paste:
   
   Hi
   
8. Click Find Now or Search Now.
9. If a folder named Hi is found, delete it.
10. Close the Find Files window.
11. Right-click the Recycle bin icon on the Windows desktop, and click Empty Recycle Bin.

Windows XP

1. Click Start, and then click Search.
2. Click All files and folders.
3. In the "All or part of the file name" box, type--or copy and paste--the following file names:
   
   sysmel32, sysmel32.exe, melh*.*
   
4. Verify that "Look in" is set to "Local Hard Drives" or to (C:).
5. Click "More advanced options."
6. Check "Search system folders."
7. Check "Search subfolders"
8. Click Search.
9. Delete each file, and click Yes if you are prompted to confirm its deletion.
10. On the toolbar, click Search.
11. In the "All or part of the file name" box, type--or copy and paste:
    
    Hi
    
12. In the Named box, type Hi and then click Find Now.
13. If a folder named Hi is found, delete it.
14. Close the Find Files window.
15. Right-click the Recycle bin icon on the Windows desktop, and click Empty Recycle Bin.

To use the command prompt to copy Regedit.exe to Regedit.com:
Because the worm modified the registry so that you cannot run .exe files, you must first make a copy of the Registry Editor as a file with the .com extension, and then run that file.

1. Do one of the following, depending on which version of Windows you are running:
   • Windows 95/98 users:
     Click Start, point to Programs, and click MS-DOS Prompt.
   • Windows ME users:
     Click Start, point to Programs, point to Accessories, and then click MS-DOS Prompt.
   • Windows NT/2000 users:
     1. Click Start, and click Run.
     2. Type the following command, and then press Enter:
        
        command
        
        A DOS window opens.
        
     3. Type the following command, and then press Enter:
        
        cd \winnt
        
     4. Proceed to the next step.
        
2. Type the following command, and then press Enter:
   
   copy regedit.exe regedit.com
   
3. Type the following command, and then press Enter:
   
   start regedit.com
   
4. Proceed to the next section, To edit the registry and remove keys and changes made by the worm, only after you have performed the previous steps.

To edit the registry to undo the changes that the worm made

CAUTION: We strongly recommend that you back up the system registry before making any changes to it. Incorrect changes to the registry may result in permanent data loss or corrupted files. Be sure to modify the specified keys only. See the document How to back up the Windows registry before proceeding.

1. Navigate to and open the following key:
   
   HKEY_CLASSES_ROOT\.exe
   
   CAUTION: Make sure that you go to the .exe subkey (note the period) and not the exefile subkey that is farther down in the list.
   
2. In the right pane, double-click Default. The Edit String dialog box appears.
3. Delete the contents of the Value data box, and then type:
   
   exefile
   
4. Click OK. The key should now look like this:
   
   
   
5. Navigate to and select the following key:
   
   HKEY_CLASSES_ROOT\mhwfile
   
   NOTE: In this case, there is no period before the first letter.
   
6. Press Delete, and then click Yes to confirm.
7. Click the Edit menu, and click Find.
8. In the "Find what" box, type the following command, and press Enter:
   
   mhwfile
   
   You must change any resultant entries to their correct settings. Entries will be found in many keys. These key names begin with a period. You must edit the Default value for each key to change it back to the correct setting. Some of the keys that can be changed by this worm and their original values (where known) are shown in the following list. You must repeat the search for mhwfile until no more instances of the entry are found in the registry. Press F3 to do so.
   
   NOTE: This list is provided for your convenience. The values on your system may differ from that shown. In some cases, you may need to reinstall the software that is called by the damaged key. If you are not sure how to do this, please obtain the services of a qualified computer technician.
   
   .arj (The Zip program that you are using)
   .avi AVIFile
   .bmp Paint.Picture
   .doc (Double-click the .doc subkey, and change the Default value to reflect the latest version of Word; for example, Word.Document.8)
   .gif giffile
   .jpeg jpegfile
   .jpe
   .jpg jpegfile
   .lha
   .mp2 mpegfile
   .mp3 mp3file
   .mpeg mpegfile
   .mpg mpegfile
   .rar
   .reg regfile
   .vqf
   .wma
   .wmf
   .wmv
   .xls (Double-click the .doc subkey, and change the Default value to reflect the latest version of Excel; for example, Excel.Sheet.8)
   .zip (The Zip program that you are using)
   
9. Exit the Registry Editor, and close the remaining DOS window.

Restart the computer, run LiveUpdate, and then run a full system scan
Do not skip this step. It is necessary to ensure that all traces of the threat have been removed.

Technical Details