SWNIMDA ------- Version 1.09, July 2002 Copyright (c) 2001, Sophos Plc. www.sophos.com 1. Introduction 2. Disconnecting from the network 3. Making the SWNIMDA floppy disk 4. Obtaining the Microsoft security patches 5. Preparing to run SWNIMDA 6. Running SWNIMDA 7. After running SWNIMDA 8. Additional SWNIMDA options 9. For further assistance 1. Introduction --------------- W32/Nimda-A and W32/Nimda-D are Windows 32 viruses which spread via email, network shares and websites. They can infect users of the Windows 95/98/Me operating systems as well as Windows NT and 2000. For details see: http://www.sophos.com/virusinfo/analyses/w32nimdaa.html http://www.sophos.com/virusinfo/analyses/w32nimdad.html The tool these notes refer to can be found at http://www.sophos.com/downloads/nimdasfx.exe To check if a computer has W32/Nimda-A or W32/Nimda-D on it run an 'All files' scan. Start Sophos Anti-Virus. Right-click your hard drive and select 'All files' from the menu that appears. Ensure that 'Subfolders' is also selected. Then run a scan. After you have finished right-click the drive again and select 'Executables'. Read through these notes before starting to disinfect your computer(s). 2. Disconnecting from the network --------------------------------- You should disconnect any infected computers from the network before proceeding. This will prevent the virus from spreading any further while you are getting ready to clean infected computers. 3. Making the SWNIMDA floppy disk --------------------------------- On an uninfected computer, copy NIMDASFX.EXE from the \tools\utils directory on the Sophos CD or download it from http://www.sophos.com/tools/nimdasfx.exe. Run NIMDASFX.EXE to extract SWNIMDA.EXE and these notes. They will extract to the directory C:\SOPHTEMP under Windows (the current directory under DOS). Copy SWNIMDA.EXE onto the floppy disk. Write-protect the floppy disk. 4. Obtaining the Microsoft security patches ------------------------------------------- For information on how to protect your systems against W32/Nimda-A and W32/Nimda-D go to http://www.microsoft.com/technet/security/topics/Nimda.asp and download the suggested patches. If possible, install the relevant patches on all of the infected computers before disinfection. 5. Preparing to run SWNIMDA --------------------------- W32/Nimda-A and W32/Nimda-D may infect large numbers of HTML files in your web cache. It is much faster to delete these files than to disinfect them. In Internet Explorer go to View|Internet Options and in the Temporary Internet Files section click Delete files. Before running SWNIMDA under Windows 95/98/Me, it is vital that you ensure that the virus is not resident in memory. For this you must disinfect in a 16-bit environment under which you can be sure that the 32-bit virus is completely paralysed. Under Windows NT/2000 it may be possible to disinfect at a command prompt. If not, you will have to reboot with an NTFS DOS driver. a) On Windows NT and Windows 2000 systems On a lightly infected computer running Windows NT or Windows 2000, where no significant services have become infected, it may be possible to run SWNIMDA from a command prompt. Double-click on NIMDASFX.EXE to install it into C:\SOPHTEMP. Shut down all programs. Then go to Start|Settings|Control Panel and double-click Services. Stop as many services as possible using the Stop button. Close and shut down the Control Panel. Press the Control, Alt and Del keys at the same time. Click on Task Manager, then select the Processes tabbed page. Select a process and click on End Process. It may or may not end. Repeat this for other processes (including the Windows Desktop). When you have closed all possible programs in Task Manager go to File|New Task (Run) and type Command. Close down the Task Manager screen. At the command prompt type CD SOPHTEMP SWNIMDA C: Repeat this process for other hard drives, e.g. SWNIMDA D:. You may get messages saying 'Error getting section information'. These messages do not affect disinfection and can be safely ignored. When disinfection has finished type Explorer to restart the Windows Desktop and run an All files scan in Sophos Anti-Virus to check that the virus has gone. If the virus has gone, go to section 7 'After running SWNIMDA'. If the virus has not gone, you will have to clean boot with a NTFS DOS driver. To clean boot computers with NTFS partitions you will need a NTFS DOS driver, that can both read and write to NTFS partitions. Sophos has tested version 3.03 of Winternals NTFSDOS Pro NTFS DOS driver and it is known to work satisfactorily with SWNIMDA. NTFSDOS Pro can be purchased from Winternals. Version 3.03 is packaged in with the current version (3.12). You can either download the two versions from http://www.winternals.com or contact Winternals Technical Support by email at support@winternals.com or telephone at +1 (512) 330-9861. Prepare a NTFS DOS boot disk using NTFSDOS Pro or similar tool. Reboot the computer using your NTFS aware boot disk. b) On Windows 95/98 Restart the computer in MS-DOS mode. Note: starting a Command Prompt (a DOS window) is not enough. Go to the Start menu and select Shut Down. Choose the option 'Restart the computer in DOS mode'. This disables the virus and provides a safe environment for disinfection. c) On Windows Me This version of Windows does not allow you to exit directly into MS-DOS mode. You need to create a startup disk and boot from that. Go to Start|Settings|Control Panel. Click on 'Add/Remove Programs', select the 'Startup Disk' tab and press the 'Create Disk' button. When you have created the startup disk, write-protect it and boot from it. This disables the virus and provides a safe environment for disinfection. You are now ready to run the SWNIMDA disinfection tool as described in the next section. 6. Running SWNIMDA ------------------ On the infected computer, insert the floppy disk containing the SWNIMDA utility and copy the SWNIMDA.EXE file into a temporary directory on the local hard disk. If you used NTFS-DOS Pro to clean boot this will be drive D:. In other cases this can be drive C:. In the following example drive C: is used. C: CD \ MD SOPHTEMP CD SOPHTEMP COPY A:\SWNIMDA.EXE C:\SOPHTEMP You can now run the SWNIMDA utility. SWNIMDA C: The command above runs SWNIMDA, which scans all of the directories on drive C:, including subdirectories, and identifies all infected and viral files. Files which the virus has infected are cleaned. Those which the virus has created are deleted (there may be large numbers of them). Repeat this process for other hard drives, e.g. SWNIMDA D: You may get messages saying 'Error getting section information'. These messages do not affect disinfection and can be safely ignored. It is important to remember that infected files are not always restored to their original state. Note: when a virus infects a file it is committing an unauthorised, illegal act and may damage the file. Such damage cannot be reversed automatically without a copy of the original file. SWNIMDA cannot guarantee to disinfect all files. In such cases you will see the message Disinfection unsuccessful You must delete all files where disinfection did not succeed. These files can be restored from a clean backup or the original CD. 7. After running SWNIMDA ------------------------ After the disinfection process described above you must restart the computer in Windows and do the following: a) Use Sophos Anti-Virus to scan the computer in Windows This is necessary to ensure that directories that cannot be recognised under DOS (whose names contain illegal characters such as "!" and "?") are scanned. Run an 'All files' scan. Start Sophos Anti-Virus. Right-click your hard drive and select All files from the menu that appears. Ensure that Subfolders is selected. Then run a scan. After you have finished right-click the drive again and select Executables. b) Microsoft security patches Install any security patches that you did not manage to install before you disinfected. c) Restore drive and file sharing (Windows NT and Windows 2000) You will need to manually restore drive and file sharing to your previous settings. You must be logged on as Administrator to do this. d) Restore Guest user (Windows NT and Windows 2000) W32/Nimda-A and W32/Nimda-D give Administrator rights to the Guest user. Guest rights need to be restored. Windows NT. Go to Start|Programs|Administrative Tools|User Manager (or User Manager for Domains). Double-click on Guest. Click the Groups button. Remove membership of all Groups except 'Guest' to Guest. Windows 2000 Workstation Log on as Adminstrator. Go to Start|Settings|Control Panel|Users and Passwords. Highlight Guest. Click Properties. Click the Group Membership Tab. Select the 'Other' radio button. Select Guests from the dropdown box. Click OK. Windows 2000 Server Log on as Administrator. Go to Start|Programs|Administrative Tools (Common)|Active Directory Users and Computers. Browse the tree under the server name to the Users subfolder. Left-click this folder. Right-click the 'Guest' user. Click Properties. Select the Member Of tab. Remove the Domain Administrators and Local Administrators groups if they are present. e) Restore file extensions to their original settings. At the Desktop, double-click on the My Computer icon. Go to the View menu (or Tools if you are using Windows Me). Select Folder Options. Select the View tabbed page. Select your previous options for file extensions. Click OK. Exit from My Computer. f) Restore the changes to System.ini Open System.ini in Notepad. Search for the line 'shell= explorer.exe load.exe -dontrunold'. Change this line to read 'shell= explorer.exe'. Save and close. g) System Restore and Windows Me Go to Start|Settings|Control Panel. Double-click System, then select the Performance tab. Click File System and then click the Troubleshooting tab. Click to select the Disable System Restore box, click Apply, click to clear the Disable System Restore box, then click OK. Restart the computer. 8. Additional SWNIMDA options ----------------------------- If you do not want SWNIMDA to request confirmation before attempting to disinfect each file, add the -NOC (for 'no confirmation') option when you run the program SWNIMDA -NOC C: If you want to produce a report recording the actions taken by SWNIMDA, add -LF=filename to write a log file SWNIMDA -LF=SAV.LOG C: If you want more detailed information in the disinfection log add the -V (verbose) qualifier when executing the program SWNIMDA -LF=SAV.LOG -V C: If you do not want more detailed information in the disinfection log add the -NV (not verbose) qualifier when executing the program. (This is the default option). If you want a temporary backup of the infected files while they are being disinfected add the -T (Temporary) qualifier when executing the program SWNIMDA -T C: If you do not want a temporary backup of the infected files while they are being disinfected add the -NT (no temporary) qualifier when executing the program. (This is the default option). Note: the log files may become very large, particularly on servers containing thousands of files. 9. For further assistance ------------------------- For further assistance, please contact Sophos technical support (support@sophos.com). 7 April 2003 ----------------