*************************************************************************** FIX_NIMDA (version 1.25) Trend Micro, Inc. http://www.antivirus.com *************************************************************************** I. File List o FIX_NIMDA.COM - fix tool for PE_NIMDA.A / PE_NIMDA.B / PE_NIMDA.E o README_NIMDA.TXT - this readme file II. How to Use ** IMPORTANT NOTE : PE_NIMDA.B overwrites EXE files during infection, thus the only way to clean the system is to delete the infected EXE files. There is a possibilty that this virus will infect system files used by Windows or any other applications, thus deleting these files might cause Windows or other applications to malfunction. 1. Before using this tool users, specifically those with IIS installed, are advised to install the patches provided by Microsoft. Links and descriptions to these patches are avaialable at the end of this document. 2. Turn off all applications running in your system, including any antivirus software that may be installed, to avoid conflicts that may occur while the tool is scanning the system. 3. Disconnect the system from the network to avoid reinfection while the tool is cleaning the system. It is also recommended to run "Net Use" before running the tool in your network, and then take note of the shared folders, as this tool has an option to remove these netshares. 4. Place FIX_NIMDA.COM in a temporary directory or folder. 5. Run the COM file FIX_NIMDA.COM by doublecliking the COM file OR Open a Command Prompt (MS-DOS Prompt) and proceed to the directory where the tool was copied. Type FIX_NIMDA.COM [pathname /C /Q /F= /UNSHARE_ALL /UNSHARE_ALL] Note: All the parameters are optional. Running the tool without the options is equivalent to clicking or running the tool from Explorer. 6. You may check the default log file generated by the tool located at c:\Report.log. 7. Enable all antivirus software that is installed and perform a manual scan. 8. Please restore critical folders that are not used to share files outside of the computer. III. Description This tool is designed to clean a system that was infected by PE_NIMDA.A / PE_NIMDA.B / PE_NIMDA.E. This tool will clean the system without having to boot using the boot disk or emergency rescue disk (ERD). The tool supports the following features: o Terminates PE_NIMDA.A / PE_NIMDA.B / PE_NIMDA.E in memory o Removes entries created by PE_NIMDA.A / PE_NIMDA.B / PE_NIMDA.E in SYSTEM.INI file o Scans all files on all fixed drives or specified paths for infected executable and EML files o Cleans all PE_NIMDA.A-infected files, except for dropper files which are deleted, and deletes all PE_NIMDA.B-infected files o Scans/cleans all HTM/HTML/ASP files infected with JS_NIMDA.A / JS_NIMDA.B. o Removes shared folders o Disables "Guest" account and removes "Guest" user from the "Administrators" group IV. Parameters o - Full path of the folder to scan. Default path to be scanned is all fixed drives from C:\ to Z:\ and their respective subdirectories. o /C - Clean / delete infected files without prompting. Default is to ask the user for action to be done. Default action of the tool is to scan a file and request verification from the user to delete or clean the file. o /GUEST - disable "Guest" account and remove it from "Administrators" group. o /UNSHARE_ALL - unshare all shared folders o /UNSHARE_ROOT - unshare all root shared folders If the above two options are used it is advised that users take note of their shared folders by following the steps indicated in Section IX of this document. o /Q - quiet mode, no user intervention When used WITHOUT the /C option, the tool will only scan the system and report, but will not clean, infected files. o /F= - save report log to the specified . (Default file and pathname is C:\REPORT.LOG) V. Syntax 1. Run FIX_NIMDA.COM without any parameter(s) or double click it from EXPLORER o Scan all fixed drives o Clean / delete infected files Users will be prompted to choose whether the infected files will be cleaned or deleted o Log file at c:\Report.log o Do not disable "Guest" account o Do not remove "Guest" account o Do not remove share drives o Scan all files (ignore extension) 2. Run FIX_NIMDA.COM o Scan files in the path specified recursively o Clean / delete infected files Users will be prompted to choose whether the infected files will be cleaned or deleted o Log file at c:\Report.log o Do not disable "Guest" account o Do not remove "Guest" account o Do not remove share drives o Scan all files (ignore extension) 3. Run FIX_NIMDA.COM 4. Run FIX_NIMDA.COM o Scan files in the path specified recursively VI. Requirements This tool is designed to run under Windows NT/2000 and Windows 9X/ME. For this tool to execute properly under Windows NT/2000 it needs the following DLL file: o PSAPI.DLL Make sure that this file is present in the "Winnt\system32" directory. VII. Notes 1. There are instances where the original mother file becomes infected with PE_NIMDA.A / PE_NIMDA.E thereby its detection would be PE_NIMDA.A / PE_NIMDA.E. The file is cleaned and another scan of the file reveals that it is the non-cleanable original mother file, which FIX_NIMDA.COM will delete. 2. The tool will flag a file as PE_NIMDA.A-O / PE_NIMDA.E-O when the file itself is an exact copy of the worm in its original form. It will delete the said file to remove it from the system. 3. FIX_NIMDA.COM is a Windows Executable file renamed to COM to prevent it from being infected by common Win32 viruses. VIII. Known Issues 1. Since PE_NIMDA.E infects EXPLORER.EXE in the memory, this tool will terminate all instances of EXPLORER.EXE. Thus all Explorer windows will be closed (For Windows NT/2000 only). 2. For WinME systems, deleted files are still in the System Restore folder due to WinME's Restore feature. When an infected file is deleted, the Restore folder of WinME will back up the file for future restoration. The user must manually delete this file in the Restore folder. Please visit the following Web site for a description and more detailed information on how to remove the contents of the _Restore folder: http://support.microsoft.com/support/kb/articles/Q263/4/55.ASP?LN=EN-US&SD=SO&FR=0 3. While the virus drops an infected RICHED20.DLL file, normal Windows systems also contain their own RICHED20.DLL. The normal RICHED20.DLL can be infected by the virus but it can still be used after it is cleaned. The other RICHED20.DLL dropped by the virus should be deleted. So occasionally, RICHED20.DLL files are deleted, and sometimes they are cleaned depending on whether they were dropped by the virus itself or infected. 4. After rebooting, NT machines will restore the shares of ALL DEFAULT DRIVES. 5. For infected files that currently are being used by another program, deletion is not possible. On Win9x, the tool creates an entry in WININIT.INI to remove the infected file. In Win NT/2K, a special API function is used to delete the file when the system shuts down. If such cases occur, scanning with another product or with the tool itself might result in re-detection of the infected file. 6. Some files detected as PE_NIMDA.A / PE_NIMDA.E are not infected samples, but are the actual dropper programs of this virus. When detected, the tool will attempt to clean these files. In the course of cleaning, the tool will identify the file being cleaned, at which point the tool will delete the dropper file. 7. On IIS Servers, PE_NIMDA.A/PE_NIMDA.B/ PE_NIMDA.E is received by the server through TFTP (trivial file transfer protocol). Using this mode of transfer, the virus is first copied in a TFTP???? file before being copied to ADMIN.DLL / HTTPODBC.DLL. There will be instances when the download will not be completed or will not be successful and thus the TFTP???? file will contain only traces of the virus. This copy is considered a corrupted version of the virus since it will not execute and therefore these samples will not be detected by this tool. IX. If the /UNSHARE_ALL option will be used, we also recommend doing the following procedures before running the tool: 1. open the registry (regedit.exe) 2. go to hklm\system\currentcontrolset\services\lanmanserver\shares 3. highlight the SHARE folder then go to Registry menu 4. choose Export Registry File...., save it to desktop 5. execute the tool with /unshare to clean the infected machine 6. afterwards go to control panel\services 7. restart server service These steps back up the names of your shared folders in a file. X. Microsoft Fixes/Upgrades: 1. For IIS 5.0 (Windows 2000 Server) please use Service Pack 2 found at the following url: 2. System administrators running Windows NT or 2000, in general should apply the following fixes: Cumulative Patch for IIS Fix for Web Server Folder Traversal Vulnerability 3. For those who use Internet Explorer (IE) versions 5.01 and 5.5 please use the fix for IE MIME Header Attachment Execution Vulnerability found at: XI. History: version 1.00 - first release version 1.10 - restore original file attribute after cleaning - bug correction on CALC.EXE cleaning version 1.20 - support ASP scan/clean - bug correction on Dr. Watson Error in NT version 1.21 - support for: a. scan/clean of non-English filename b. unshare all shared folders c. disable GUEST user version 1.22 - disabled the automatic folders unsharing feature - Added the /UNSHARE option version 1.23 - Replace /UNSHARE with /UNSHARE_ALL - Merged SLIDE program with clean tool - Added the option to specify pathname to be scan or clean - Added the /UNSHARE_ROOT option - Added /Q option - Add log report version 1.24 - Added detection and removal of PE_NIMDA.B and JS_NIMDA.B. version 1.25 - Added detection and removal of PE_NIMDA.E. XII. Others This tool has been tested under the following platforms: Windows 9x Windows ME Windows NT 4.0 Workstation and Server Windows 2000 Professional and Server XIII. For more information regarding these viruses, please visit our Web site at: