The NIMDA is a mass mailing worm which spreads through email via a file called Readme.Exe. The worm uses the same technique as the CODERED to scan for web servers using the Microsoft IIS server software and will infect those without the security patch.

• Disconect the network. Reconnect only after the worm has been removed.
• Use V-Buster to scan all files. Delete all files with the worm. A list of the deleted files can be found in Vbuster.Log in the main directory of the hard disk. Some of these files are needed by Windows. You can either copy these files from another computer or reinstall Windows.
• Replace RICHED20.DLL in the WINDOWS\SYSTEM subdirectory or WINDOWS\WINNT\SYSTEM32 for Windows NT with a clean copy from another computer.
• Edit SYSTEM.INI in the Windows subdirectory and replace the string "shell=explorer.exe load.exe -donotloadold" with "shell=explorer.exe".
• Delete all TMP files, all shares and "Guest" accounts and put them back on with the correct access rights.
• Correct Windows Explorer's settings.

Return Home