There are more steps to take:

Win98 may backup system.ini in:
c:\windows\sysbckup\rb000.cab (001.cab etc)

which would contain the infected system.ini

The worm will also place files in the temporary directory,
with the extension .TMP, these files include load.exe (the worm),

When rebooted, wininit.ini will rename these files and recreate load.exe,
and also try to backup system.ini from the rb000.cab -- this will then
start load.exe and restart the whole process. This got us 3 times until we
figured out what was happening.

Along with riched20.dll, you also need to delete or restore MAPI.DLL,
possibly winzip32.exe

Other possible infected files to check (these may be Win2k only)

winzip32.exe
riched20.dll
MAPI32.DLL
MPR.DLL
mmc.exe
system.ini
load.exe

I pulled those out of the load.exe executable.

c: readme main index default html .asp .htm \readme.eml .exe
mep

The above line, in load.exe makes me assume that on an IIS box it will
replace the default page with readme.eml

Search the entire box for *.eml, *.nws, readme*.exe, load.exe and delete all
instances, search all network shares which are open to this box for *.eml,
*.nws, readme*.exe, load.exe and any of the above files. Check their dates
and sizes against a clean box.

The filenames for the EML and NWS files seem to be random files on the
drive, but may be coming from a Recent Documents List.

We've only had one infected computer, which was Win98, but it spread files
to shares on Win2k, NT4 and Macintosh using the DAVE file sharing product.
It also replaced riched20.dll on a seperate NT4 box.

-----Original Message-----
From: Windows NTBugtraq Mailing List
[mailto:NTBUGTRAQLISTSERV.NTBUGTRAQ.COM]On Behalf Of Luis Rivera
Sent: Tuesday, September 18, 2001 3:09 PM
To: NTBUGTRAQLISTSERV.NTBUGTRAQ.COM
Subject: Removing the W32.Nimda.Amm from Windows 95/98

Hello Russ,

I am not sure if anyone has posted this info yet but we were able to
figure out how to remove the W32.Nimda.Amm from Windows 95/98. So far
it has been effective,

1) boot in DOS mode
2) edit system.ini file in c:\windows
3) look for this line
        shell= explorer.exe load.exe -donotloadold

replace it with

        shell=explorer.exe

4) goto c:\windows\system
        1) run attrib -s -h riched20.dll
        2) run attrib -s -h load.exe
        3) del riched20.dll, 56kb (check the date on it, if todays date
delete it)
        4) del load.exe

If anyone has gotten further with win2k would appreciate the info.

- Luis Rivera
Florida Tech

Delivery co-sponsored by Trend Micro, Inc.
TREND MICRO SCANMAIL FOR EXCHANGE 2000 -- SECOND to NONE

If you are worried about email viruses, you need Trend Micro ScanMail for
Exchange. ScanMail is the first antivirus solution that seamlessly
integrates with the Microsoft Exchange 2000 virus-scanning API 2.0. ScanMail
ensures 100% inbound and outbound email virus scanning and provides remote
software management. Download a FREE 30-day trial copy of ScanMail and find
out why it is the best:
http://www.antivirus.com/banners/tracking.asp?si\I;$0&UL;

======================================
Delivery co-sponsored by Trend Micro, Inc.
======================================
TREND MICRO SCANMAIL FOR EXCHANGE 2000 -- SECOND to NONE

If you are worried about email viruses, you need Trend Micro ScanMail for
Exchange. ScanMail is the first antivirus solution that seamlessly
integrates with the Microsoft Exchange 2000 virus-scanning API 2.0. ScanMail
ensures 100% inbound and outbound email virus scanning and provides remote
software management. Download a FREE 30-day trial copy of ScanMail and find
out why it is the best:
http://www.antivirus.com/banners/tracking.asp?si\8BI;$0&UL;=/smex2000
======================================

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]