Descoberta: September 19, 2001
Atualizado: February 13, 2007 11:33:34 AM
Tipo: Removal Information



Symantec has provided a fixtool to remove infections of W32.Nimda.A@mm. To read the write-up, which describes this threat in detail, click here .


Caution. Please read this first:
There are several variants of W32.Nimda in general circulation. Two of the most common are:

  • W32.Nimda.A@mm
  • W32.Nimda.E@mm
Symantec Security Response has created separate removal tools for both of these threats. The tools are not interchangeable. Before you can use a removal tool, you must know which variant has infected the computer. The tool that can be downloaded from this document is designed to remove infections of W32.Nimda.A@mm. (Note the .A). It will not remove infections of W32.Nimda.E@mm. If you need to remove a W32.Nimda.E@mm infection, click here .

To obtain and run the W32.Nimda.A@mm tool:

NOTE: You must have administrative rights to run this tool on Windows NT, Windows 2000, or Windows XP.

IMPORTANT! Please read:
If you experience either or both of the following:
  • If after running the tool, programs such as Microsoft Word no longer run.
  • If when you run the tool you see a message similar to "The file "not" is infected and *$#&#$*#@ repaired."
the Microsoft Windows file Riched20.dll file has been damaged by the virus. You must replace this file, and in many cases, you will also have to reinstall Word or Office. Please see the section How to extract the Riched20.dll near the end of this document.

  1. Click here to download the Fixnimda.com file from http://securityresponse.symantec.com/avcenter/Fixnimda.com. Save the file to a convenient location, such as your download folder or the Windows desktop.
  2. To check the authenticity of the digital signature, refer the section The digital signature.
  3. Close all running programs before running the tool.
  4. If you are running Windows Me, then disable System Restore. Please refer the section System Restore option in Windows Me for additional details.

    NOTE: If you are running Windows Me, we strongly recommend that you do not skip this step.
  5. Double-click the Fixnimda.com file to start the removal tool.

    CAUTION: If you are on a network, you must apply the removal tool on all computers, including servers.
  6. Click Start to begin the process, and then allow the tool to run.
  7. Symantec recommends running the tool until the system is reported as clean.
  8. If necessary, download the appropriate Microsoft patches to patch vulnerable systems. These patches can be found here:
  9. If you are on a network or you have a full-time connection to the Internet, disconnect the computer from the network and the Internet. Disable or password protect file sharing before you reconnect computers to the network or to the Internet. Because this worm spreads by using shared folders on networked computers, to ensure that the worm does not reinfect the computer after it has been removed, Symantec suggests sharing with read-only access or using password protection. For instructions on how to do this, see your Windows documentation or the document How to configure shared Windows folders for maximum network protection.
  10. Restart the computer.
  11. Run the fixtool again to insure that the system is clean.
  12. Install the necessary Microsoft patches to patch the known vulnerabilities.
  13. Reconnect the clean system to the network or re-enable your full-time internet connection.
  14. If you are running Windows Me, then re-enable System Restore.
  15. Run LiveUpdate to make sure that you are using the most current virus definitions.

NOTES:
  • The removal procedure might be unsuccessful if Windows Me System Restore is not disabled as previously directed because Windows prevents System Restore from being modified by outside programs. Because of this, any worm-removal attempts made by the removal tool might fail.

When the tool has finished running, you will see a message indicating whether the computer was infected by the W32.Nimda.A@mm. In the case of a removal of the worm, the program displays the following results:
  • The total number of the scanned files.
  • The number of deleted files.
  • The number of repaired files.
  • The number of viral processes terminated.


The digital signature
Fixnimda.com is digitally signed. Symantec recommends that you only use copies of Fixnimda.com that have been downloaded directly from the SARC download site. To check the authenticity of the digital signature, follow these steps:
  1. Go to http://www.wmsoftware.com/free.htm
  2. Downlad and save the chktrust.exe file to the same folder where you saved Fixnimda.com, for example, C:\Downloads.
  3. Click Start, point to Programs, and click MS-DOS Prompt.
  4. Change to the folder where Fixnimda.com and Chktrust.exe are stored, and then type:

    chktrust -i Fixnimda.com

    For example, if you saved the file to the C:\Downloads folder:

    cd\
    cd downloads
    chktrust -i Fixnimda.com

    Press Enter after typing each command.
  5. If the digital signature is valid, you will see the following prompt:

    Do you want to install and run "Nimda Fix Tool" signed on 10/9/2001 11:56 AM and distributed by Symantec Corporation.

    NOTES:
    • The date and time that are displayed in this dialog box will be adjusted to your time zone if your computer is not set to the Pacific time zone.
    • If you are using Daylight Saving Time, the time that is displayed will be exactly one hour earlier.
    • If this dialog box does not appear, do not use your copy of Fixnimda.com. It is not from Symantec.
  6. Click Yes to close the dialog box.
  7. Type exit and then press Enter. This will close the MS-DOS session.


What the tool does
The W32.Nimda.A@mm fixtool will perform the following steps:
  1. Terminates all processes associated with the virus.
  2. Terminates Explorer.exe process and relaunches it. The virus injects itself into Explorer.exe which makes this step necessary. Because of this, you may see the desktop flash (this is expected behavior).
  3. Detects all types of W32.Nimda.A@mm infections. Repairs those files that can be repaired. Deletes .eml, .nws, .doc and .txt files that have been detected as infected.

    NOTE: The tool will not delete .eml files in cases where the extension is not one of the four mentioned above. For example, a file with the double extension .eml.bad will not be deleted. You must manually delete such files.
  4. Repairs the System.ini file by removing the modifications made to the shell= line.
  5. Removes the guest account from the Administrator group and disables the guest account in the Guests group.
  6. Repairs multiple HTML infections.
  7. Returns shared drives and folders to default security settings.

    IMPORTANT NOTES:
    • Windows NT/2000/XP. This tool will restore the original security of Windows NT/2000/XP shares as long as the computer has not been restarted since the virus was launched. The only exception to this are shares that have Everyone [Full Control] as the only rights on them - these cannot be distinguished from shares that the virus has modified and they will be set to Administrator Group [Full Control].
    • Windows 95/98/Me. On Windows 95/98/Me computers, if the computer has not been restarted, the tool will restore the pre-infection security settings of the shares. If the computer has been restarted, the tool will apply the following settings:
      • The "Win9x Share Read Write Password" will be applied to shares with Access Type "Full"
      • The "Win9x Share Read Only Password" will be applied to shares with Access Type "Read-Only"
      • Both passwords will be applied to shares with Access Type "Depends on Password"
  8. Deletes registry values which had been modified to prevent Windows Explorer from showing hidden files or known file extensions. Deleting these values resets them to their defaults. You should reconfigure these options to their desired settings. (To do this, in Windows Explorer, click the View menu (Windows 95/98/NT) or the Tools menu (Windows Me/2000), and then click Options or Folder options. Change settings as desired.)


Command line switches available in this tool:
/NOFIXSHARE - will disable share repair (use of this switch is not recommended).
/NOFIXREG - will disable registry repair (use of this switch is not recommended).
/SILENT, /S - enables silent mode.
/LOG=[PATH NAME] - creates a logfile where [PATH NAME] is the location in which to store the output of the tool.
/RWPWD=[PASSWORD] - apply this password to Win9x Read Write Shares
/ROPWD=[PASSWORD] - apply this password to Win9x Read Only Shares
    CAUTION: Once a computer has been attacked by W32.Nimda.A@mm, it is possible that your system has been accessed remotely by an unauthorized user. For this reason it is impossible to guarantee the integrity of a system that has had such an infection. The remote user could have made changes to your system, including but not limited to the following:
    • Stealing or changing passwords or password files
    • Installing remote-connectivity host software, also known as backdoors
    • Installing keystroke logging software
    • Configuring of firewall rules
    • Stealing of credit card numbers, banking information, personal data, and so on
    • Deletion or modification of files
    • Sending of inappropriate or even incriminating material from a customer's email account
    • Modifying access rights on user accounts or files
    • Deleting information from log files to hide such activities

    If you need to be certain that your organization is secure, you must reinstall the operating system, and restore files from a backup that was made before the infection took place, and change all passwords that may have been on the infected computers or that were accessible from it. This is the only way to ensure that your systems are safe. For more information regarding security in your organization, contact your system administrator.


System Restore option in Windows Me
One of the new features of Windows Me is System Restore. This feature, which is enabled by default, is used by Windows to restore files on your computer in case they become damaged. Windows Me keeps the restore information in the _RESTORE folder. A _RESTORE folder is created on each hard drive on the computer; these folders are updated when the computer restarts.

If the computer is infected with W32.Nimda.A@mm, then it is possible that the worm could be backed up in the _RESTORE folder. By default, Windows prevents System Restore from being modified by outside programs. Because of this, any repair attempts made by the removal tool will fail. To work around this, you must disable System Restore and restart the computer. This will purge the contents of the _RESTORE folder. You must then run the removal tool again.

To disable System Restore:

Follow the steps listed below the following figure. Use the numbers in the figure for reference.



How to extract the Riched20.dll
If you see errors when you start programs such as Microsoft Word, or the programs will not start, you need to extract the Riched20.dll file. (As an alternative, you can reinstall the operating system and the affected programs.)

Please see the instructions for your operating system.

NOTE: These instructions are provided for your convenience, and will work on most computers. For additional information on extracting files, including other Windows files that may have been damaged, read one of the following: Windows 95/98
You need to use the Extract command at a DOS prompt. Follow these steps to do this, using the instructions for your operating system.

    NOTES:
    • You will need a Windows 98/Me startup disk. (If you are using Windows 95, you will still need one that was created on a Windows 98/Me computer). For instructions on how to create one, see the document How to create a Windows Startup disk.
    • Have the Windows installation CD available.
    • When typing the command, substitute the appropriate drive letter for your CD-ROM drive for the letter x. For example, if you are using Windows 98, and the CD-ROM drive is the drive D, then you would type

      extract /a d:\win98\win98_28.cab riched20.dll /L c:\windows\system

    • If Windows is installed in a folder other than C:\Windows, then substitute the appropriate path or folder name in the last part of the command that refers to the \Windows folder.
    • For detailed instructions on using the Extract command, see the Microsoft document How to Extract Original Compressed Windows Files, Article ID: Q129605.
    • As a somewhat easier alternative to the following procedure, if you are using Windows 98, then you can use the System File Checker to restore the file. For information on how to do this, see your Windows documentation.
  1. Shut down the computer and turn off the power. Once the computer is off, insert the Windows 98/Me Startup disk in the floppy disk drive and turn the computer back on. At the menu, select Start with CD-ROM support.
  2. Type the command that applies to your operating system:
    • If you are using Windows 98, then type the following and press Enter:

      extract /a d:\win98\win98_28.cab riched20.dll /L c:\windows\system

    • If you are using Windows 95, then type the following and press Enter:

      extract /a win95_10.cab riched20.dll /L c:\windows\system
    NOTE: If you see an error message of any kind, then repeat step 2, making sure that you typed the correct command for your operating system and that you typed it exactly as shown. Otherwise, type exit and then press Enter.



Windows NT 4.0
  1. Make sure that Windows is configured to show all files.
  2. Search for and then delete all Riched20.dll files.
  3. Reapply the most recent service pack. The service pack will replace the file with a new copy.
  4. If, after replacing the Riched20.dll file, programs such as Microsoft Word or Office no longer run, or you see error messages when they start, you may have to reinstall Microsoft Office.


Windows 2000
If you are using Windows 2000, a built-in program will find and replace missing or corrupt system files. To replace the corrupted Riched20.dll, follow these steps:
  1. Make sure System File Checker is enabled:
    1. Click Start and then click Run.
    2. Type cmd and click OK.
    3. Type the following and then press Enter:

      sfc /enable
    4. Type exit and then press Enter.
  2. Make sure that Windows is set to show all files:
    1. Start Windows Explorer.
    2. Click the Tools menu and then click Folder options.
    3. Click the View tab.
    4. Uncheck "Hide file extensions for known file types."
    5. Uncheck "Hide protected operating system files" and under the "Hidden files" folder, click "Show hidden files and folders."
    6. Click Apply, and then click OK.
  3. Search for Riched20.dll:
    1. Click Start, point to Find or Search, and click Files or Folders.
    2. Make sure that "Look in" is set to (C) and that Include subfolders is checked.
    3. In the "Named" or "Search for..." box, type--or copy and paste--the following file names:

      riched20.dll
    4. Click Find Now or Search Now.
    5. Delete the files that are displayed.
  4. Restart the computer.
  5. System File Checker will replace any missing Riched20.dll files. If, after replacing the Riched20.dll file, programs such as Microsoft Word or Office no longer run, or you see error messages when they start, you may have to reinstall Microsoft Office.