*************************************************************************** FIX_NIMDA (version 1.22) Trend Micro, Inc. http://www.antivirus.com *************************************************************************** I. File List o FIX_NIMDA.EXE - fix tool for PE_NIMDA.A o README_NIMDA.TXT - this readme file o SLIDE.EXE - accompanying file to clean HTM/HTML/ASP files (You need NOT run this file, FIX_NIMDA.EXE will run this file automatically). o SLIDE.DAT - data file used by SLIDE.EXE II. How to Use 1. Turn off any anti-virus softwares installed. This is to avoid conflicts that may occur while the tool is scanning the system. 2. Disconnect the system from the network. This is to avoid reinfection while the tool is scanning the system. 3. Place the 3 files (FIX_NIMDA.EXE, SLIDE.EXE and SLIDE.DAT) in the same directory. 4. Open a Command Prompt (MS-DOS Prompt) and proceed to the directory where the tool resides. 5. Run FIX_NIMDA.EXE. 6. Enable all the anti-virus softwares installed. III. Description This tool is designed to clean a system that was infected by PE_NIMDA.A. This tool will clean the system without having to boot using the boot disk or emergency rescue disk. When FIX_NIMDA.EXE is executed, it will perform the following steps: o Terminate PE_NIMDA.A in memory. o Remove traces of PE_NIMDA.A in SYSTEM.INI file. o Scan all files on all fixed drives for infected executable and EML files. o Clean all infected files except for mother files which are deleted. o Scan/clean all HTM/HTML/ASP files for PE_NIMDA.A by executing SLIDE.EXE. This new version is also capable of unsharing any shared folders using the /UNSHARE command-line option and removing the GUEST user account in the Administrator Group. IV. Requirements This tool is designed to run under Windows NT/2K and Windows 9X/ME. For this tool to execute properly under Windows NT/2000 it needs the following DLL files: o PSAPI.DLL Be sure that this file is present in the "Winnt\system32" directory. V. Notes 1. There are instances where the original mother file gets infected with PE_NIMDA.A thereby detection would be PE_NIMDA.A. The file gets cleaned and another scan of the file reveals that it is the non-cleanable original mother file which FIX_NIMDA.EXE will delete. 2. The tool will flag a file as PE_NIMDA.A-O when the file itself is the exact copy of the worm in its original form. Thus, the tool will delete it. VI. Known Issues 1. For WinME systems, deleted files are still in the System Restore folder because of WinME's Restore feature. When an infected file is deleted, the Restore folder of WinME will backup the file for future restoration. The user will have to manually delete this file in the Restore folder. 2. While the virus drops an infected RICHED20.DLL, normal Windows systems also contain its own RICHED20.DLL. The normal RICHED20.DLL can be infected by the virus and thus can still be used after cleaning. The other RICHED20.DLL, on the other hand, (the one dropped by the virus) should be deleted. So sometimes, RICHED20.DLL are deleted, and sometimes they are cleaned. 3. After rebooting, NT machines will restore the default shared IPC$ 4. Under NT 4.0, GUEST user is not disabled VII. History: version 1.00 - first release version 1.10 - restore original file attribute after cleaning - bug correction on CALC.EXE cleaning version 1.20 - support ASP scan/clean - bug correction on Dr. Watson Error in NT version 1.21 - support: a. scan/clean of non-english filename b. unshare all shared folders c. disable GUEST user version 1.22 - disabled the automatic folders unsharing feature - Added the /UNSHARE option