W32.Nimda.A@mm

Printer Friendly Page

Discovered: September 18, 2001
Updated: February 13, 2007 11:37:18 AM
Also Known As: W32/Nimda@MM [McAfee], PE_NIMDA.A [Trend], I-Worm.Nimda [Kaspersky], W32/Nimda-A [Sophos], Win32.Nimda.A [Computer Associ
Type: Worm, Virus
Systems Affected: Microsoft IIS, Windows
CVE References: CVE-2000-0884 CVE-2001-0154


NOTE: As of January 15, 2003, due to a decreased rate of submissions, Symantec Security Response has downgraded this threat from a Category 4 to a Category 2.

Symantec has not seen any significant increase in activity due to the re-activation of the emailing routine after its initial 10-day sleep period.

W32.Nimda.A@mm is a mass-mailing worm that uses multiple methods to spread itself. The name of the virus came from the reversed spelling of "admin."

This worm:

  • Sends itself by email
  • Searches for open network shares
  • Attempts to copy itself to unpatched or already vulnerable Microsoft IIS web servers
  • Is a virus infecting both local files and files on remote network shares.

The worm uses the Unicode Web Traversal exploit. A patch for computers running Windows NT 4.0 Service Packs 5 and 6a or Windows 2000 Gold or Service Pack 1, as well as information regarding this exploit can be found at http://www.microsoft.com/technet/security/bulletin/ms00-078.asp .

When the worm arrives by email, it uses a MIME exploit allowing the threat to be executed by reading or previewing the file. Information and a patch for this exploit can be found at http://www.microsoft.com/technet/security/bulletin/MS01-020.asp

If you visit a compromised Web server, you will be prompted to download a .eml (Outlook Express) email file, which contains the worm as an attachment. You can disable "File Download" in your Internet Explorer Internet Security Zones to prevent this compromise.

Also, the worm will create open network shares on the infected computer, allowing access to the system. During this process, the worm creates the guest account with Administrator privileges.


Virus Definitions
Virus Definitions may be downloaded using LiveUpdate or from the Symantec Security Response Web site.

Symantec Solutions
Symantec offers a host of solutions to defend and protect against W32.Nimda.A@mm. Click here to review Symantec's recommendations on how to address W32.Nimda.A@mm and similar "blended threats."

Information for Macintosh users
Although this worm does not infect Macintosh computers, the worm can be passed through Macintosh email to Windows computers. Also, if you share a network with Windows computers, files could be placed on your hard drive. For additional information, read the document, "Are Macintoshes affected by the Nimda virus? "

Information for Novell users
Novell servers are not directly vulnerable, but a Novell client running under Windows can access the Novell server and execute the file from there (using a login script or other means), which can further spread the virus.

NOTE: Microsoft has released a cumulative roll up for IIS 4.0 on NT 4.0 SP5 and later, as well as all security patches released to date for IIS 5.0. This information can be found at http://www.microsoft.com/technet/security/bulletin/MS01-044.asp .

Microsoft has provided information regarding this threat at: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/topics/nimda.asp .




For information on .enc detections, read the article, What is an .enc detection?


For additional information, read the Microsoft TechNet article, Information on the "Nimda" Worm .


Norton AntiVirus
Norton AntiVirus is the world's most trusted antivirus solution. Now it repairs common virus infections automatically, without interrupting your work. Automatic updating of virus definitions over the Internet is just as easy. Symantec's exclusive Script Blocking technology defends against fast-moving threats by identifying and stopping new script-based viruses such as "ILoveYou" even between virus definition updates. To safeguard your PC and prevent it from spreading viruses to your friends and colleagues, Norton AntiVirus scans and cleans both incoming and outgoing email. And for instant access to the most-needed functions, it integrates into Windows Explorer. If you do not have antivirus software, protect your computer from worms and viruses with Symantec's award-winning Norton AntiVirus .

Norton AntiVirus Corporate Edition
Norton AntiVirus Corporate Edition provides best-of-breed, multi-platform, enterprise-wide virus protection at the desktop and file server tiers. The Digital Immune System, the result of two years collaborative work with IBM®, provides access to intelligent back-end services and exclusive automated response mechanisms. Closed-loop automation is a response feature that analyzes and deploys quality-tested cures faster than viruses can spread. Even in the face of unusually heavy demand during widespread attacks, Symantec's scalable back-end architecture ensures fast delivery of the virus definitions required for complete protection.

Norton AntiVirus for Gateways
Norton AntiVirus for Gateways scans compressed files at the SMTP gateway, automatically detecting viruses in email attachments including a nearly unlimited number of file extensions such as the ZIP, UUENCODE, and MIME formats. Since it also scans and repairs files contained within common compressed file formats, it provides solid defense against writers who often conceal viruses in compressed files. Using integrated proactive AntiVirus functions, administrators can block new and unknown viruses before a cure exists, preventing virus outbreaks from entering the organization.

Norton AntiVirus for Lotus Notes
Norton AntiVirus for Lotus Notes/Domino provides stable, reliable, and award-winning protection for Lotus Notes/Domino databases, including Lotus Domino Release 5. It offers administrators the most comprehensive, automatic protection available against new and existing viruses and keeps databases free from viruses, automatically scanning and repairing file attachments and embedded OLE objects in Notes mail and database documents. Efficient incremental scans minimize impact on network performance. And because administrators don't have to reinstall the scan engine every time a new virus is discovered, it significantly reduces total cost of ownership. Norton AntiVirus is easy to use because all operations are done using the Notes client.

Norton AntiVirus for Microsoft Exchange
Norton AntiVirus 2.5 for Microsoft Exchange automatically detects and removes old and new viruses on Exchange servers, providing the most comprehensive, automatic virus protection available. Using the latest virus scanning APIs from Microsoft, Norton AntiVirus for Microsoft Exchange scans both the email message body and attachments to provide maximum protection while minimizing the impact on network performance. Because administrators do not have to reinstall the scan engine to add new virus definitions, Norton AntiVirus significantly reduces cost of ownership.

Norton Internet Security
Norton Internet Security is the integrated online security suite from Symantec. The Norton Internet Security suite includes Norton AntiVirus, Norton Personal Firewall, Norton Privacy Control and Ad Blocking. The ability to easily update the suite (for the latest virus definitions, firewall rules, etc.) via LiveUpdate ensures that Norton Internet Security continues to provide security to the user's computer from the latest online threats.

Symantec Desktop Firewall
Symantec Desktop Firewall is the easiest to use and least intrusive solution for protecting remote users from hackers and corporate networks from back-door attacks. It deploys rapidly and works in the background, monitoring inbound and outbound communications. Remote installation and compatibility with leading VPNs make it an essential solution for securing remote communications.

Symantec Enterprise Firewall
Symantec Enterprise Firewall and Raptor Firewall will, through proper configuration, analyze HTTP requests and responses to ensure they adhere to the Requests for Comments (RFC) defining Web protocol behavior. This mechanism effectively blocks many common attacks that take advantage of protocol violations. In addition, Symantec Enterprise Firewall/Raptor Firewall version 6.5 or later can be configured to use URL pattern matching on rules to block against quantified threats on specific web server platforms.

Symantec VelociRaptor
VelociRaptor is a single-rack unit high (1RU), plug-and-protect appliance that ensures complete control of information entering and leaving the network. Its advanced data inspection technology filters traffic and integrates application level proxies, network circuit analysis, and packet filtering into the gateway security architecture. To bar access to private networks and confidential information, VelociRaptor applies full-inspection scanning techniques that ensure that data is validated at all seven levels of the protocol stack, including application proxies.

Symantec Enterprise Security Manager (ESM)
Symantec Enterprise Security Manager is a scalable security policy compliance and host-based vulnerability assessment tool. Using this tool you can detect systems that are running IIS server, detect systems that have the web Directory Traversal Vulnerability and can also detect modified files, new files and deleted files through its snapshot technology. It can also detect other modifications in the registry, useful in forensic analysis. If you have not already deployed ESM within your enterprise it is of limited use in recovering from a widespread compromise like W32.Nimda.A@mm. However, it has tremendous strength in mitigating the risk of the next W32.Nimda.A@mm type worm since it enforces best practices, e.g., identifying inadequate patch levels, unneeded services, and weak passwords. Click here to review the Enterprise Security Manager Security Response Policy for Nimda on Windows NT and Windows 2000.

Symantec NetRecon
Symantec NetRecon is a network vulnerability assessment scanner with root cause analysis capabilities. It detects systems that are running Web services, specifically Microsoft IIS and also detect systems that have the web Directory Traversal Vulnerability.

Symantec NetProwler
NetProwler is Symantec's network-based intrusion detection tool that continuously and transparently monitors your network for pattern of misuse or abuse. With Security Update 8 installed, NetProwler will detect the CodeRed worm and variants operating on your network. The NetProwler logs will identify each system compromised by the W32.Nimda.A@mm worm. NetProwler can also assist in forensic analysis by reviewing log entries to provide clues as to which host(s) on the network were first compromised by the worm.

Symantec Intruder Alert
Intruder Alert is a host-based Intrusion detection tool that detects unauthorized and malicious activity, keeping systems, applications, and data secure from misuse and abuse. The FileWatch function in Intruder Alert can monitor and detect mission-critical files for any changes, deletions, or movements that may have resulted from unauthorized access after W32.Nimda.A@mm compromise. In addition, Intruder Alert provides utilities to develop custom rules that can restore the compromised/changed files to their original state. Intruder Alert also monitors a system for suspicious behavior such as rootkit or DDoS agent installation, account creation, or modification. Intruder Alert can centrally manage log file events from across the network to assist in forensic analysis of compromised systems.

Symantec Web Security
Symantec Web Security protects web traffic at the HTTP/FTP gateway with high-performance, one-time scanning for viruses, malicious code, and inappropriate web content. It is the only solution that combines heuristic, context-sensitive analysis with list-based techniques for ensuring maximum protection against known and unknown malware threats and non-business-related web sites.

Antivirus Protection Dates

  • Initial Rapid Release version September 18, 2001
  • Latest Rapid Release version March 23, 2017 revision 037
  • Initial Daily Certified version September 18, 2001
  • Latest Daily Certified version March 23, 2017 revision 041
  • Initial Weekly Certified release date September 18, 2001

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Writeup By: Eric Chien

Discovered: September 18, 2001
Updated: February 13, 2007 11:37:18 AM
Also Known As: W32/Nimda@MM [McAfee], PE_NIMDA.A [Trend], I-Worm.Nimda [Kaspersky], W32/Nimda-A [Sophos], Win32.Nimda.A [Computer Associ
Type: Worm, Virus
Systems Affected: Microsoft IIS, Windows
CVE References: CVE-2000-0884 CVE-2001-0154


Infection by a Web Server

W32.Nimda.A@mm attempts to infect unpatched Microsoft IIS Web servers. On Microsoft IIS 4.0 and 5.0, it is possible to construct a URL that would cause IIS to navigate to any desired folder on the logical drive that contains the Web folder structure, and then access files in it. A patch and information regarding this exploit can be found at http://www.microsoft.com/technet/security/bulletin/ms00-078.asp .

Successful exploitation of the Directory Traversal Vulnerability gives the attacker the ability to install and run code, as well as add, change, or delete files or Web pages on the compromised server. The limitations of the original vulnerability include:

  1. The server configuration. The vulnerability only allows files to be accessed if they reside on the same logical drive as the Web folders.

    For example, if a Web administrator had configured the server so that the operating system files were installed on the C drive and the Web folders were installed on the D drive, the attacker would be unable to use the vulnerability to access the operating system files.
  2. The attacker must be logged onto the server interactively.
  3. The gained privileges would be only those of a locally logged-on user. The vulnerability would only allow the malicious user to take actions in the context of the IUSR_machinename account.

However, by using the W32.Nimda.A@mm worm as a delivery mechanism, the attacker can remotely compromise a vulnerable IIS server, and once compromised, create a local account on the targeted server with administrator privileges, regardless of the drive on which the IIS server is installed. The worm uses directory traversal techniques to access cmd.exe on unpatched IIS servers. The worm also attempts to use the IIS servers that CodeRed II had previously compromised to propagate and to access root.exe from the inetpub/scripts directory.

NOTE: If Norton AntiVirus RealTime protection detects files such as "TFTP34%4.txt" as being infected with W32.Nimda.A@mm in your inetpub/scripts folder, you may have been previously exposed to CodeRed II. We recommend that you download and execute the CodeRed removal tool to make sure that your system has been cleaned of the CodeRed II threat.

The worm searches for Web servers using randomly generated IP addresses. Using the Unicode Web Traversal exploit, the worm copies itself to the Web server as admin.dll via TFTP. Infected machines create a listening TFTP server (port 69/UDP) to transfer the copy of the worm.

Then, this file is executed on the Web server and copied to multiple locations. In addition to this exploit, the worm attempts to exploit already compromised Web servers using the files root.exe or cmd.exe, which are located in remotely executable Web directories.

Then, the worm attempts to modify the files named default, index, main or readme, or files with the extensions .htm, .html, or .asp, by adding JavaScript. The JavaScript causes visitors who open infected pages to be presented with Readme.eml, which the worm created.

Readme.eml is an Outlook Express email file, with the worm as an attachment. The email messages use the MIME exploit. Thus, a computer may be infected by browsing the infected Web page.

System Modifications

When executed, the worm determines where it is being executed from. The worm overwrites Mmc.exe in the \Windows folder, or creates a copy of itself in the Windows Temporary folder.

Then, the worm infects executables, creates itself as .eml and .nws files, and copies itself as Riched20.dll in folders that contain .doc files on the local drive. The worm searches for files in the paths listed in the registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\App Paths

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\Shell Folders

The worm hooks the system by modifying the System.ini file as follows:

Shell = explorer.exe load.exe -dontrunold

The worm also replaces the file, Riched20.dll, which is a legitimate Windows .dll file that programs, such as Microsoft Word, use. By replacing this file, the worm is executed each time programs (such as Microsoft Word) are executed.

The worm also registers itself as a service process or adds itself as a remote thread to the Explorer process. This allows the worm to continue to execute even when a user is not actively logged on.

The worm copies itself as the file, %Windows\System%\load.exe

NOTE: %Windows\System% is a variable. The worm locates the \Windows\System folder (by default this is C:\Windows\System) and copies itself to that location.

Next, the worm creates open network shares for all the drives on the computer by modifying the registry key:

HKLM\Software\Microsoft\Windows\
CurrentVersion\Network\LanMan\[C$ -> Z$]

A reboot of the computer is required for these settings to take effect.

The worm searches for all the open shares on the network by iterating through Network Neighborhood and by using randomly generated IP addresses. All the files on any open network shares are examined for possible infection. The worm infects all the .exe files except Winzip32.exe.

Next, the .eml and .nws files are copied to the open network shares, and the worm copies itself over as Riched20.dll to any folder that contains .doc files.

The worm changes the Explorer settings to not show Hidden files and known file extensions.

The worm adds the user, Guest, under the groups Guests and Administrators. This gives the guest account Administrative privileges. In addition, the worm actively shares C$ = C:\ No reboot is required.

Mass-Mailer

Nimda contains a mass-mailing routine that is executed every 10 days. The worm begins this routine by first searching for email addresses. The worm searches for email addresses in the .htm and .html files on the local system. The worm also uses MAPI to iterate through all the messages contained in any MAPI-compliant email clients. Any MAPI-supporting email clients may be affected, including Microsoft Outlook and Outlook Express. The worm uses these email address for the To: and the From: addresses. Thus, mail sent from the infected computer will appear to have been sent by the people whose addresses that Nimda found, not by the person whose computer is infected.

The worm uses its own SMTP server to send email messages using the configured DNS entry to obtain a mail server record (MX record).

When the worm is received by email, the worm uses an old known MIME exploit to auto-execute itself. The worm will be unable to execute using Microsoft Outlook or Outlook Express if the system has been patched against this exploit.
Information regarding this exploit can be found at http://www.microsoft.com/technet/security/bulletin/MS01-020.asp .

Infecting Executables

The worm also attempts to infect .EXE files. First, the worm checks to see whether the file is already infected. If the file is not infected, the worm makes a copy of itself in the Temporary directory. The victim file is embedded inside the copy. This new file is then copied over the victim file, replacing the originally clean file with an infected version. Infected executables will be approximately 57344 bytes larger. When an infected file is executed, the worm will extract the original clean file to a temporary file and execute it along with itself. Thus, one may not notice that their executable has become infected.

During execution, the worm may attempt to delete copies of itself. If the file is in use or locked, the worm will create the file, Wininit.ini, with an entry to delete itself upon reboot.

When infecting files, the worm may create two temporary files in the Windows Temporary folder as:
  • mep[nr][nr][letter][nr].TMP.exe
  • mep[nr][nr][letter][nr].TMP

Both files will be Hidden and have the system attribute set.

Ports that the worm uses are listed below. NOTE : These are all standard ports.
  • TCP 25 (SMTP): Used to send email to targets with addresses taken from the compromised client.
  • TCP 69 (TFTP): Opens port 69/udp for the TFTP transfer of admin.dll for the IIS infection. As part of this protocol, it makes outgoing connections to transfer the files.
  • TCP 80 (HTTP): Uses this port to target vulnerable IIS servers.
  • TCP 137-139, 445 (NETBIOS): Used in the transmission of the worm.

The worm contains bugs and can be resource-intensive. Thus, all the actions may not occur and you may notice system instability.

Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

  • Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
  • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
  • Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
  • Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
  • Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
  • Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
  • If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
  • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
  • Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
  • Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
  • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
  • If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.
  • For further information on the terms used in this document, please refer to the Security Response glossary.

Writeup By: Eric Chien

Discovered: September 18, 2001
Updated: February 13, 2007 11:37:18 AM
Also Known As: W32/Nimda@MM [McAfee], PE_NIMDA.A [Trend], I-Worm.Nimda [Kaspersky], W32/Nimda-A [Sophos], Win32.Nimda.A [Computer Associ
Type: Worm, Virus
Systems Affected: Microsoft IIS, Windows
CVE References: CVE-2000-0884 CVE-2001-0154


Symantec Security Response has posted a tool to remove the infections that W32.Nimda.A@mm caused.

NOTE: Once W32.Nimda.A@mma has attacked a computer, an unauthorized user may remotely access your system. For this reason, it is impossible to guarantee the integrity of a system that has had such an infection. The remote user could have made changes to your system, including but not limited to the following:

  • Stealing or changing passwords or password files
  • Installing remote-connectivity host software, also known as backdoors
  • Installing keystroke logging software
  • Configuring of firewall rules
  • Stealing of credit card numbers, banking information, personal data, and so on
  • Deleting or modifying files
  • Sending of inappropriate or even incriminating material from a customer's email account
  • Modifying access rights on user accounts or files
  • Deleting information from log files to hide such activities

If you need to be certain that your organization is secure, re-install the operating system and restore the files from a backup that was made before the infection took place, and then change all the passwords that may have been on the infected computers or that were accessible from it. This is the only way to ensure that your systems are safe. For more information regarding security in your organization, contact your system administrator.

Manual Removal Instructions
If you cannot obtain the removal tool, or if it does not work in your situation, follow these steps:
  1. Run LiveUpdate to make sure that you have the most recent virus definitions.
  2. Do one of the following:
    • If you are running Windows NT/2000/XP, skip to step 3.
    • If you are running Windows 95/98/Me, edit the System.ini file as follows:
      1. Click Start, and then click Run.
      2. Type the following, and then click OK:

        edit c:\windows\system.ini

        The MS-DOS Editor opens.

        NOTE: If Windows is installed in a different location, make the appropriate substitution.

      3. Locate the line that begins with shell=
      4. Position the cursor immediately to the right of the equal sign.
      5. Press Shift+End to select all the text to the right of the equal sign, and then press Delete.
      6. Type the following text:

        explorer.exe

        The line should now look like:

        shell=explorer.exe

        NOTE: Some computers may have an entry other than Explorer.exe after shell=. If this is the case and you are running an alternative Windows shell, change this line to shell=explorer.exe for now. You can change it back to your preferred shell after you have finished this procedure.

      7. Click File, click Exit, and then click Yes when you are prompted to save the changes.
  3. Restart the computer.

    NOTE: When your computer restarts, it is likely that infected files will be found. We recommend that you attempt to repair the infected file. Quarantine any file that is not repairable.
  4. Start Norton AntiVirus and make sure that it is configured to scan all the files. For more information, read the document, "How to configure Norton AntiVirus to scan all files."
  5. Scan your system with Norton AntiVirus. For more information, read the document, "How to run a full system scan with Norton AntiVirus."
  6. For each file detected as infected by W32.Nimda.A@mm or W32.Nimda.A@mm (html), choose Repair. Quarantine any file that is not repairable.
  7. For each file detected as infected by W32.Nimda.A@mm (dr), W32.Nimda.enc, or W32.Nimda.A@mm (dll), choose Delete.
  8. Restore Admin.dll and Riched20.dll from a backup, or from the Microsoft Windows or Office .cab files if necessary.
  9. Remove unnecessary shares.
  10. Delete the guest account from the Administrators group, if applicable.

System Restore option in Windows Me/XP
Windows Me and Windows XP users should temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore files on your computer in case they become damaged. When a computer is infected with a virus, worm, or Trojan, it is possible that the virus, worm, or Trojan could be backed up by System Restore. By default, Windows prevents System Restore from being modified by outside programs. As a result, there is the possibility that you could accidentally restore an infected file, or that online scanners could detect the threat in that location.

For instructions on how to turn off System Restore, read your Windows documentation or one of the following articles:
For additional information, and an alternative to disabling Windows Me System Restore, see the Microsoft Knowledge Base article Anti-Virus Tools Cannot Clean Infected Files in the _Restore Folder , Article ID: Q263455.

    How to extract the Riched20.dll
    If you see errors when you start programs such as Microsoft Word, or the programs will not start, you need to extract the Riched20.dll file. (As an alternative, you can re-install the operating system and the affected programs.)

    See the instructions for your operating system.

    NOTE: These instructions are provided for your convenience, and will work on most computers. For additional information on extracting files, including other Windows files that may have been damaged, read one of the following: Windows 95/98
    You need to use the Extract command at a DOS prompt. Follow these steps to do this, using the instructions for your operating system.

      NOTES:
      • You will need a Windows 98/Me startup disk. (If you are using Windows 95, you will still need one that was created on a Windows 98/Me computer). For instructions on how to create one, see the document, "How to create a Windows Startup disk."
      • Have the Windows installation CD available.
      • When typing the command, substitute the appropriate drive letter for your CD-ROM drive for the letter x. For example, if you are using Windows 98, and the CD-ROM drive is the drive D, then you would type

        extract /a d:\win98\win98_28.cab riched20.dll /L c:\windows\system

      • If Windows is installed in a folder other than C:\Windows, then substitute the appropriate path or folder name in the last part of the command that refers to the \Windows folder.
      • For detailed instructions on using the Extract command, see the Microsoft document, "How to Extract Original Compressed Windows Files," Article ID: Q129605.
      • As a somewhat easier alternative to the following procedure, if you are using Windows 98, then you can use the System File Checker to restore the file. For information on how to do this, see your Windows documentation.
    1. Shut down the computer and turn off the power. Once the computer is off, insert the Windows 98/Me Startup disk in the floppy disk drive and turn on the computer again. At the menu, select Start with CD-ROM support.
    2. Type the command that applies to your operating system:
      • If you are using Windows 98, then type the following and press Enter:

        extract /a d:\win98\win98_28.cab riched20.dll /L c:\windows\system
      • If you are using Windows 95, then type the following and press Enter:

        extract /a win95_10.cab riched20.dll /L c:\windows\system

      NOTE: If you see an error message of any kind, then repeat step 2, making sure that you typed the correct command for your operating system and that you typed it exactly as shown. Otherwise, type exit, and then press Enter.



    Windows NT 4.0
    1. Make sure that Windows is configured to show all the files.
    2. Search for and then delete all the Riched20.dll files.
    3. Re-apply the most recent service pack. The service pack will replace the file with a new copy.
    4. If, after replacing the Riched20.dll file, programs such as Microsoft Word or Office no longer run, or you see error messages when they start, you may have to re-install Microsoft Office.


    Windows 2000
    If you are using Windows 2000, a built-in program will find and replace missing or corrupt system files. To replace the corrupted Riched20.dll, follow these steps:
    1. Make sure System File Checker is enabled:
      1. Click Start, and then click Run.
      2. Type cmd, and then click OK.
      3. Type the following, and then press Enter:

        sfc /enable
      4. Type exit, and then press Enter.
    2. Make sure that Windows is set to show all the files:
      1. Start Windows Explorer.
      2. Click the Tools menu, and then click Folder options.
      3. Click the View tab.
      4. Uncheck "Hide file extensions for known file types."
      5. Uncheck "Hide protected operating system files" and under the "Hidden files" folder, click "Show hidden files and folders."
      6. Click Apply, and then click OK.
    3. Search for Riched20.dll:
      1. Click Start, point to Find or Search, and then click Files or Folders.
      2. Make sure that "Look in" is set to (C) and that Include subfolders is checked.
      3. In the "Named" or "Search for..." box, type or copy and paste the following filenames:

        riched20.dll
      4. Click Find Now or Search Now.
      5. Delete the displayed files.
    4. Restart the computer.
    5. System File Checker will replace any missing Riched20.dll files. If, after replacing the Riched20.dll file, programs such as Microsoft Word or Office no longer run, or you see error messages when they start, you may have to re-install Microsoft Office.


    Writeup By: Eric Chien