Related Resources • Pg 1: Description • Pg 2: Infection Routine • Pg 3: Manual Removal • Virus Encyclopedia • Glossary of terms

Elsewhere on the Web • F-Secure Analysis (superb) • Central Command Analysis • Sophos Analysis • FBI Advisory

Manual Removal Instructions:

Removing from a workstation (Windows PC)

1. Disconnect from the Internet. If you are on a dial-up connection, close the connection. Cable modem users should unplug the cable connection.
2. If you are on a network, disconnect from the network or disable all network sharing, or physically remove the network cable.
3. Remove *all* shares from *all* local hard drives
4. In Windows Explorer, make sure the Folder Options are set to classic and that all files can be viewed

   Open Windows Explorer
   Click Tools | Folder Options
   Make sure "Use Windows Classic Folders" is selected
   Click the "View" tab
   Select "Show all files and folders"
   Click Apply
   Click OK
   Close Windows Explorer

5. Edit the SYSTEM.INI

   Click Start | Run
   Type "system.ini" (without the quotes)
   When SYSTEM.INI launches, find the [boot] section.
   Locate the line "shell=explorer.exe load.exe -donotloadold"
   Replace it with "shell=explorer.exe"
   Save the changes and close the file

6. Reboot the system
7. Use updated antivirus software to scan for any infected files. Delete any that are non-disinfectable. Restore necessary files from backup. Typically, the following files are affected:

   ADMIN.DLL    (found in root of all local drives)
   LOAD.EXE     (C:\Windows\System directory)
   MMC.EXE      (C:\Windows)
   RICHED20.DLL (found in all folders on all local drives)

   Any .EML or .NWS files found to be infected with Nimda should be deleted. Files are typically 79Kb).
8. Delete all .TMP files (typically found in C:\Temp or C:\windows\Temp or or \Documents and Settings\Username\Local Settings\Temp directories)
9. Remove the Guest account from the Administrators group and reset to appropriate access settings.
10. Examine all .HTM, .HTML, and .ASP files for presence of JavaScript code referencing README.EML. Pay particular attention to files named DEFAULT, INDEX, MAIN, or README that have one of these extensions. Remove the script or, better yet, delete the files and restore from a clean backup.
11. Reboot the system and scan once more to ensure no infected files are found.
12. Restore a clean copy of RICHED20.DLL from backup to the C:\Windows\System or WINNT\System32 folder as applicable. RICHED20.DLL is used for the Rich Text Editing features of programs such as WordPad.
13. Renew valid network shares with proper access rights.
14. Only after all the steps above have been done should you reconnect to the network and Internet.
15. Once Internet connection has been established, immediately download and install the Microsoft Security Patch (MS01-020). Do not check your email first or browse to any other site as you risk reinfection without the patch in place.