**************************************************************************** FIX_NIMDA version 4.00 (December 5, 2001) Trend Micro, Inc. http://www.trendmicro.com **************************************************************************** I. Description This fix tool is a stand-alone program provided by Trend Micro to clean systems infected with PE_NIMDA (variants A to G). It supports the following features: o Terminates all worm instances in memory o Removes worm registry entries o Scans for and deletes all worm copies in all local hard drives o Terminates PE_NIMDA.A - PE_NIMDA.G in memory o Removes entries created by PE_NIMDA.A through PE_NIMDA.G in SYSTEM.INI file o Scans all files on all fixed drives or specified paths for infected executable and EML files o Cleans all PE_NIMDA.A-, PE_NIMDA.C-, and PE_NIMDA.E-infected files except for dropper files which are deleted, and deletes all PE_NIMDA.B- AND PE_NIMDA.F-infected files o Scans/cleans all HTM/HTML/ASP infected files for JS_NIMDA.A and JS_NIMDA.B o Removes shared folders o Disables "Guest" account and removes "Guest" user from the "Administrators" group II. File List o FIX_NIMDA.COM - Fix tool for PE_NIMDA (variants A to F) o README_NIMDA.TXT - This file III. Requirements This tool is designed to run under the following platforms: Windows NT/2000/XP and Windows 9X/ME. NOTE: For this tool to execute properly under Windows NT/2000, it needs the DLL file, PSAPI.DLL, in the WINNT\System folder. IV. Parameters - Full path of the folder to scan. Default path to be scanned is all fixed drives from C to Z, and their respective subdirectories /C - Clean or delete infected files without prompting - the default action of this tool is to scan a file and request verification from the user on whether to delete or clean the file /GUEST - disable "Guest" account and remove it from "Administrators" group /UNSHARE_ALL - unshare all shared folders /UNSHARE_ROOT - unshare all root directories of shared folders. If the above two options are used, it is advised that users take note of their shared folders as described in the How to Use section. /Q - quiet mode, no user intervention - when using WITHOUT the /C option, the tool will only scan the system and report, but not clean or delete infected files /F= - save report log to the specified - default file and pathname is C:\REPORT.LOG V. Syntax 1. Run FIX_NIMDA.COM without any parameter(s) or double-click it from Windows Explorer. o Scan all fixed drives o Clean/Delete infected files - users will be prompted on whether the infected files should be cleaned or deleted o Log file at c:\Report.log o Do not disable "Guest" account o Do not remove "Guest" account o Do not remove share drives o Scan all files (ignore extension) 2. Run FIX_NIMDA.COM o Scan files in the path specified recursively o Clean/delete infected files Users will be prompted whether the infected files should be cleaned or deleted. o Log file at c:\Report.log o Do not disable "Guest" account o Do not remove "Guest" account o Do not remove share drives o Scan all files (ignore extension) 3. Run FIX_NIMDA.COM 4. Run FIX_NIMDA.COM o Scan files in the path specified recursively VI. How to Use ** IMPORTANT NOTE : PE_NIMDA.B and PE_NIMDA.F overwrite .EXE files during infection, thus the only way to clean a system infected with either variant is to delete the infected .EXE files. Infected files may include files that are used by Windows or other applications, and deleting these files can cause Windows or other applications not to function properly. PE_NIMDA.D cannot successfully infect files. Files detected as such are malware files and will be deleted by this tool. 1. Before using this tool, users with IIS installed are advised to install the patches provided by Microsoft. Links to these patches are available at the end of this document. 2. Turn off all applications running on your system, including any antivirus software, which may conflict with this tool. 3. Disconnect the system from the network to avoid reinfection. It is advisable to run "Net Use" before running the tool on your network. Take note of the shared folders, as this tool has an option to remove these network shares. 4. Copy FIX_NIMDA.COM into a temporary directory or folder. 5. Run the fix tool, FIX_NIMDA.COM, by double-clicking the .COM file OR Open a Command Prompt (MS-DOS Prompt) and proceed to the folder where the tool was copied. Type: FIX_NIMDA.COM [pathname /C /Q /F= /UNSHARE_ALL /UNSHARE_ALL] Note: All the parameters are optional. Running the tool without the options is equivalent to clicking or running the tool from Windows Explorer. 6. You may check the default log file generated by the tool located at c:\Report.log. 7. Enable all antivirus software that is installed and perform a manual scan. 8. Restore critical folders that are not used to share files outside of the infected machine. VII. Notes 1. There are instances where the original file or mother file is infected with PE_NIMDA.A, PE_NIMDA.C, and PE_NIMDA.E at the same time. In this case, its detection would be PE_NIMDA.A/PE_NIMDA.C /PE_NIMDA.E. The file is cleaned and another scan of the file reveals that it is the non-cleanable original mother file, which this fix tool will delete. 2. The tool will flag a file as PE_NIMDA.A-O/PE_NIMDA.G-O when the file itself is an exact copy of the worm in its original form. It will delete the said file to remove it from the system. 3. FIX_NIMDA.COM is a Windows Executable file renamed to .COM to prevent it from being infected by common Win32 viruses. VIII. Known Issues 1. Since PE_NIMDA.E infects EXPLORER.EXE in memory, this tool terminates all instances of EXPLORER.EXE. Thus the Explorer windows will be closed on Windows NT and 2000 systems. 2. For Win ME systems, deleted files are still in the System Restore folder due to Win ME's Restore feature. When an infected file is deleted, the Restore folder of Win ME will backup the file for future restoration. The user must manually delete this file in the Restore folder. Please visit the following Web site for a description of, and more detailed information on, how to remove disable contents of the _Restore folder: http://www.trendmicro.com/vinfo/security/win_me_clean.htm 3. While the virus drops an infected RICHED20.DLL file, normal Windows systems also contain a RICHED20.DLL file. This normal RICHED20.DLL can be infected by the virus but can still be used after it is cleaned. The other RICHED20.DLL dropped by the virus should be deleted. So RICHED20.DLL files are deleted and sometimes cleaned, depending on whether they were dropped by the virus or an infected copy of the original file. 4. After rebooting, NT machines will restore the shares of ALL THE DEFAULT DRIVES. 5. For infected files that are being used by another program, deletion is not possible. On Win9x, the tool creates an entry in WININIT.INI to remove the infected file. In Win NT/2K, a special API function is used to delete the file when the system shuts down. If such cases occur, scanning with another product before a restart, or with the tool itself, may result in a re-detection of an infected file. 6. Some files detected as PE_NIMDA.A/PE_NIMDA.G are not infected samples, but are the actual dropper programs of these viruses. When detected, the tool attempts to clean these files. In the course of cleaning, the tool will identify whether the file is a dropper or not, at which point, the tool will delete all identified dropper files. 7. On IIS Servers, PE_NIMDA.A through PE_NIMDA.G is received by the server through TFTP (trivial file transfer protocol). Using this mode of transfer, the virus is first copied in a TFTP???? file before it is copied to ADMIN.DLL / HTTPODBC.DLL / GUEST.DLL. There will be instances when the download will not be completed or will not be successful and thus the TFTP???? file will contain only traces of the virus. This copy is considered a corrupted version of the virus and will not execute. These samples will not be detected by this tool. 8. EML samples for PE_NIMDA.F are detected as PE_NIMDA.B-O. This is due to the CRC detection on EML files for this variant of NIMDA. IX. If the /UNSHARE_ALL option will be used, the following procedures are recommended to backup the names of your shared folders: 1. Open the registry (regedit.exe) 2. Go to HKEY_LOCAL_MACHINE\System\CurrentControlSet\ Services\lanmanserver\Shares 3. Highlight the SHARES key then go to Registry menu 4. Choose Export Registry File..., save it to the Desktop 5. Execute the tool with /unshare to clean the infected machine 6. Afterwards go to control panel\services 7. Restart server service X. Microsoft Fixes/Upgrades: 1. For IIS 5.0 (Windows 2000 Server) please use Service Pack 2 found at the following URL: 2. System administrators running Windows NT or 2000, in general, should apply the following fixes: Cumulative Patch for IIS Fix for Web Server Folder Traversal Vulnerability 3. For those who use Internet Explorer (IE) versions 5.01 and 5.5, please use fix for IE MIME Header Attachment Execution Vulnerability found in: XI. History version 1.00 - first release version 1.10 - restored original file attribute after cleaning - added bug correction on CALC.EXE cleaning version 1.20 - supported ASP scan/clean - added bug correction on Dr. Watson Error in NT version 1.21 - added support for: a. scan/clean of non-English filename b. unshare all shared folders c. disable GUEST user version 1.22 - disabled the automatic folders unsharing feature - added the /UNSHARE option version 1.23 - replaced /UNSHARE with /UNSHARE_ALL - merged SLIDE program with clean tool - added the option to specify pathname to be scan or clean - added the /UNSHARE_ROOT option - added /Q option - added log report version 1.24 - added detection and removal of PE_NIMDA.B and JS_NIMDA.B. version 1.25 - added detection and removal of PE_NIMDA.E. - added termination and restarting of EXPLORER.EXE in WinNT/2K version 2.00 - added detection and removal of PE_NIMDA.C. and PE_NIMDA.D version 3.00 - added detection and removal of PE_NIMDA.G version 4.00 - added detection and removal of PE_NIMDA.F - added recatch for undetected PE_NIMDA.E samples XII. Compatibility This tool has been tested under the following platforms: Windows 9x Windows ME Windows NT 4.0 Workstation and Server Windows 2000 Professional and Server Windows XP XIII. Additional resources For more information regarding these viruses, visit our Web site at: