Operations > Computing > FAQ

Removing the Nimda Virus

If your system has been infected with the Nimda virus, you must perform the following steps:

1. Disconnect the system from the network.

2. Apply the following patches:

All users whose computers have Microsoft Internet Explorer (ver 5.01 or 5.5 without SP2) installed are advised to install the following Microsoft patch for the "Incorrect MIME Header Can Cause IE to Execute E-mail Attachment" vulnerability.

http://www.microsoft.com/technet/security/bulletin/MS01-020.asp

All IIS administrators (and Win2K users who may not be aware they are running IIS), who haven't already done so, should also install this Microsoft patch "August 15, 2001 Cumulative Patch for IIS":

http://www.microsoft.com/technet/security/bulletin/MS01-044.asp

3. Close any network shares prior to cleaning

4. Exit any running applications

5. Stop IIS server (if it is running)

6. Install Viruscan (if it hasn't been already installed), and update to the latest available DAT (virus database) files

VirusScan can be downloaded for free if you're UW faculty, staff, or a student: http://www.washington.edu/computing/software/sitelicenses/virusscan/

McAfee's download page for VirusScan software or up-to-date DAT files: http://download.mcafee.com/updates/updates.asp

7. Scan and clean each drive

8. Restore the RICHED20.DLL and MMC.EXE files if they were overwritten by the virus and deleted by the scanner. Failure to take these actions may result in reinfection.

Stand Alone Removal Tool

Please note Virusscan and Netshield products will detect and remove the virus and the associated files the virus infects. It will NOT remove the network shares or the guest account created by W32/Nimda@MM.

Users that would like to have these changes removed automatically can use the AVERT NimdaScan (current version 1.0f) program located on the AVERT Tools Page. Please follow the instructions in their README.TXT file when using the program.

http://www.mcafeeb2b.com/naicommon/avert/avert-research-center/tools.asp#NimdaScn

For more info about this Nimda virus, please got to McAfee.com's information page:

http://vil.mcafee.com/dispVirus.asp?virus_k=99209

Operations  
EE logo