Reply To: Nimba Virus Recovery
by
cjmpe
·
about 23 years, 2 months ago
In reply to Nimba Virus Recovery
If your workstation isn’t too far gone, you can carry out the following procedure:
Disconnect system from the network.
Scan all files on all local hard drives and disinfect/delete with your favorite anti virus package.
Open “system.ini” innotepad. Locate the following line:
“shell=explorer.exe load.exe -dontrunold”
and delete “load.exe -dontrunold”. Save the file when complete.
Open “wininit.ini” in notepad. Look for strings that contain the following information (where XXXXrepresents four hexadecimal digits):
[rename]
NUL=C:\WINDOWS\TEMP\MEPXXXX.TMP.exe
Delete these lines if found and save the edited file.
Search the system for the “riched20.dll” file. If file is located, scan it with your anti virus package. If it is infected, replace with the original Windows media. The file will be located in a CAB file on your CD’s and can be extracted using WinZIP. I don’t remember which CAB file contains “riched20.dll” but the files are archived in the CAB files in alphabetical order, so start around file # 25 or 30.
Reboot the system.
Perform another full scan from the GUI with action set to “Disinfect”.
*While scanning the drive, if your software finds JS/Nimda.A@mm in any *.HTML, *.ASP, or *.HTM files as well as files that contain the words “DEFAULT”, “INDEX”, “MAIN” or “README” in the filename, edit the appropriate file and remove JavaScript code the the virus adds referring to README.EML file, or restore the affected files from a backup. The virus appends the JavaScript code.
Finally, review the permissions of your shared folders. The virus may alter the permissions of the existing shares and/or add new ones.
I know this sounds tedious, but it should take no more than about1 hour and afterward, you will know if a complete system rebuild is in order.