The NIMDA is a mass mailing worm which spreads through email via a
file called Readme.Exe. The worm uses the same technique as the CODERED to scan for web servers using the Microsoft IIS server
software and will infect those without the security patch.
- Disconect the network. Reconnect only after the worm has been removed.
- Use V-Buster to scan all files. Delete all files with the worm. A list
of the deleted files can be found in Vbuster.Log in the main directory
of the hard disk. Some of these files are needed by Windows. You can
either copy these files from another computer or reinstall Windows.
- Replace RICHED20.DLL in the WINDOWS\SYSTEM subdirectory or
WINDOWS\WINNT\SYSTEM32 for Windows NT with a clean copy from another
- Edit SYSTEM.INI in the Windows subdirectory and replace the string
"shell=explorer.exe load.exe -donotloadold"
- Delete all TMP files, all shares and "Guest" accounts and put them
back on with the correct access rights.
- Correct Windows Explorer's settings.