W32/Swen.A

W32/Swen.A is particularly difficult to remove because it disables a number of the common Windows tools used to remove worms, and disables antivirus programs. It spreads by eMail, KaZaa, IRC Chat and over local networks.

1. Disconnect your computer from the network.
2. Disable system restore for Windows Me and Windows XP.. You can reenable it after you're sure your system is cleaned up, though for Me, you might consider leaving it disabled since it tends to cause trouble.
3. Back up the registry in case you, your computer or Windows screw up.
4. Make a registry repair file. Cut and paste the following section into WordPad or another ASCII editor and save it as C:\swena.reg
   

   REGEDIT4
   
   [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
   "DisableRegistryTools"=dword:00000000
   
   [-HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command]
   [HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command]
   @="\"%1\" %*"
   
   [-HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\open\command]
   [HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\open\command]
   @="\"%1\" %*"
   
   [-HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\open\command]
   [HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\open\command]
   @="\"%1\" %*"
   
   [-HKEY_LOCAL_MACHINE\Software\CLASSES\piffile\shell\open\command]
   [HKEY_LOCAL_MACHINE\Software\CLASSES\piffile\shell\open\command]
   @="\"%1\" %*"
   
   [-HKEY_LOCAL_MACHINE\Software\CLASSES\regfile\shell\open\command]
   [HKEY_LOCAL_MACHINE\Software\CLASSES\regfile\shell\open\command]
   @="\"%1\" %*"
   
   [-HKEY_LOCAL_MACHINE\Software\CLASSES\scrfile\shell\open\command]
   [HKEY_LOCAL_MACHINE\Software\CLASSES\scrfile\shell\open\command]
   @="\"%1\" %*" 
   

5. Run the command regedit -s \swena.reg
6. Run regedit Start / Run / regidit and remove the line that starts the worm. First, navigate to
   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   Find the worm. it will be an entry to run a file with a randomly generated name. Delete that registry entry.
   Exit regedit.
7. You should now be able to reboot your machine without the worm running. If, after reboot, you can still Start / Run / regedit, it's gone for now.
8. Update your antivirus program and do a scan
9. Reconnect to the network, but remember, if your machine shares it's C: drive on the network, and any other computer on the network is still infected, the worm will atempt to reinfect you.

W32/Klez.H - W32/Elkern.C

The Klez.H worm propagates rapidly and efficiently using a whole host of email tricks. My favorite is the "bounced email" message. Who can resist opening a bounced email notice to see why it bounced? It has many other tricks which enabled it to infect around the world with the rising sun.

Once you have the Klez (sooner, rather than later), it will infect the rest of your network immediately. Updating your antivirus "after the fact" won't help a lot because it goes for antivirus software immediately. A heavily infected machine is likely to be reported clean. Computers can be reinfected faster than the antivirus can clean them up.

Klez.H drops a virus, Elkern.C, on your computers, which propagates and accounts for most of the infected files, especially in /Program Files. Elkern.C is said to destroy all files on hard disks on March 13th and September 13th.

A special "safe mode" tool is necessary to clean out the Klez once you have it, and an up-to-date antivirus with active protection to keep you from reinfecting.

1. Go to an uninfected facility and download the Klez.H "safe mode" disinfect tool. We use Command, but I know Symantec has one and I presume everyone else does. Write the Klez tool to a CD-ROM.
2. Buy antivirus licenses for all your Windows PCs and servers, download it along with the latest patches and definition updates and write it to the same CD-ROM (this is easy with Command, impossible with some). Buy licenses for every version of Windows you are running.
3. Unplug every computer from the network. Check hubs and switches to make sure everything is disconnected (except printers, cascaded hubs/switches, routers, mainframes, and other non-PC units). NOTE: Linux / Unix / OS/2 / Novell NetWare / Macintosh servers and workstations can't be infected with the Klez, (nor run the antivirus program) but they can store infected files if their hard disks are shared with Windows computrs, and these files can reinfect Windows computers.
4. Start by executing the following steps on the servers. After the servers are clean, plug them back into the network and plug workstations back in one by one as they are certified clean. Put a sticker on each one as it is crtified to prevent mystakes.
   1. Open a DOS prompt and make a Klez subdirectory. Copy the Klez tool into it and shut down (you can't copy from the CD in "safe mode" on Win95/98).
   2. Reboot in "Safe Mode" (hit the F8 key just as Windows starts, or over and over every half second if you can't catch it otherwise. Select "Safe Mode" from the menu). Note: Windows NT doesn't have a "safe mode", so just reboot, run the tool and hope for the best.
   3. If you are running Windows Me, safe mode will bring up a troubleshooting program. Close it. Better yet, take this opportunity to format the hard disk and put on some version of Windows that actually sort fo works - even Win95 if that's all you have.
   4. Run the Klez cleanup program. You may get some messages about files that connot be disinfected. These may be links to files on other machines. Check the log left by your cleanup program (probably in the root directory). They will generally have a double extention {filename.ext.ext}, making them easy to find and delete.
   5. Reboot and install the updated antivirus program. Yes, right now.
   6. Configure your antivirus program to scan "all files" and set it for "active protection". Yes, I know that kills performance - but do you want to do this every day? Another reason we like Command is it's active protection seems to burden the machine less than some others. We set both active and directed scans to automatically disinfect.
   7. Run the updated antivirus program and clean out all the other viruses you have collected. Make sure active protection is running.
   8. If your antivirus supports it, and you have some idea where incoming email files are stored, you can make a special scan just for the email files.
   9. Run Regedit.exe and go to: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services. Look for a key titled Wink[some random characters here].exe. Delete that key. Note: all the usual cautions about editing the registry apply.
5. Now that you have a clean workstation, plug in all those Macintosh, Linux, Unix, OS/2 and NetWare server and workstations. Use your clean Windows machine to scan any drives they share with Windows computers (Samba shares for Linux/Unix).
6. Now do the rest of your Windows computers. Note: some machines, especially those very heavily infected or infected with multiple viruses (my favorite is Klez.H and SirCam - the two tend to protect each other), cannot be salvaged. Wipe Windows off, reinstall Windows and reinstall any software that uses the registry.
7. Once your network is clean, organize a Gestapo to patrol your offices and make sure all computers remain properly protected with "active protection" running. "Power Users" will tend to turn this off to regain performance, so they need watching.
8. Think really, really hard about dumping Microsoft operating systems and moving to OS/2 (now ECs) or Linux - or Hell, even Macs. Start here

VBS/SST VBS/OnTheFly.a AnnaKournikova

1. Delete the "AnnaKournikova.jpg.vbs" file from \Windows\System
2. Select Start/Run and enter Regedit
3. Delete the following Windows system registry keys:
   HKEY_CURRENT_USER\Software\OnTheFly
   HKEY_CURRENT_USER\Software\OnTheFly\mailed

1. In Outlook Express, go to "Tools", then "Options".
2. Click the "Security" tab.
3. Select "Restricted Zone" and click OK.

Funlove / Win32.FLC

This one prints "Fun Loving Criminal" on the screen and infects Windows95/98, NT and 2000. First appeared November 1999. Most up-to-date anti-virus programs can now handle it, but here's how to remove it by hand.

1. Unplug network cables.
2. Reboot in DOS mode or from a DOS boot floppy (you cannot delete the virus from within Windows).
3. Delete the Funlove executable progam: del \windows\system\fless.exe
4. Make a directory to prevent reinfection: mkdir \windows\system\fless.exe
5. Reboot to Windows.
6. From Control Panel / Add/Remove Programs remove any anti-virus programs you may have in case they are infected.
7. From Start / Find search the hard disk for any fless.* files and delete them.
8. Install an up-to-date anti-virus program and scan the hard disk for infected files.

Homepage / VBSWG.X

This email worm is similar to AnnaKournikova, and was made using the VBSWG virus writing kit. It arives in an email with the subject "Homepage" and an attachment called "homepage.HTML.vbs". Thee subject line is "Hi! You've got to see this page! It's really cool".

If the attachment is opened, the worm writes itself to the file homepage.HTML.vbs in the system temporary directory, then sends itself to everyone in the Outlook address book. Next, it sets the registry entry "HCKU\software\An\mailed" to 1 so it won't bother mailing itself again. Finally, it sets the Internet Explorer homepage to a porno site.

1. Delete the program homepage.HTML.vbs (usually in /Windows/Temp, but use Start / Find because different systems could use different Temp directories).
2. Might as well just leave the Registry entry.
3. In Internet Explorer, go to your favorite Web page and select it as your home page (unless you want to keep the porno site).

W32.Magister

One of the most damaging viruses and quite widespread. New varieties of Magister appear periodically, so you must use a very up-to-date scanner. This virus emails both to the Windows address book and to items the Outlook Express sent items folder.

Magistr can cause system instability, erase files, overwrite hard disks, erase CMOS setup, put insulting messages on the screen, and, on some computers, flash the BIOS making the computer motherboard into junk. Since it emails Microsoft Word documents it can also expose confidential information to a wide audience.

Magistr changes its behavior depending on how long it has been on the computer and several other factors. At one stage it may cause icons on the desktop to move around and try to escape from the mouse pointer.

1. Get the very latest version of your virus checker.
2. Set the checker to run in Query / Repair mode so it asks you at each file it finds infected.
3. Run the checker on all hard disks in the system. Write down the names of each file infected. NOTE: many files are damaged by Magistr and cannot be repaired, but must be deleted.
4. Check the Win.ini file. If the run= line attempts to run any of the infected files, delete them. Most clean systems will have only run= on the line.
5. Check the registry for entries to run an infected file.
   • Backup your registry files (User.dat, System.dat).
   • Run regedit. go to:
     HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
     \CurrentVersion\Run
   • Check in the right pane for entries that run files infected by Magistr. Delete those entries.

SirCam / W95/Sircam.worm@mm / W32/SirCam-A

This worm emails to the Outlook address book, sending a random Word document with itself embedded. Because it sends a real document, it is a privacy problem as well as an annoyance.

Caution: this virus can also spread through Microsoft network shares.
If you get it as an attachment to an email, it will be from a real person, very possibly someone you know, and the subject line will reference a real document and may seem convincingly genuine. In the body will be these three lines:
Hi! How are you?
I send you this file in order to have your advice.
See you later! Thanks.
The attachment will have a double extension(.doc.pif, .xls.pif, .doc.lnk, etc.), but most Windows users will see only the first extension due to Windows "user friendly" habit of hiding known extensions.

Removal of this virus requires editing the registry, and should not be attempted by someone who is not comfortable with that. A damaged registry can require reloading Windows and reinstalling all your programs.

1. Start/Run. Type in Regedit and run it.
2. Find HKEY_CLASSES_ROOT\Exefile\Shell\Open\Command
   Double click on "Default" in the right pane.
   Edit the contents of "Value Data" to read: "%1" %* (including quotes and the space as shown).
3. Find HKEY_LOCAL_MACHINE\Software\SirCam
   In the left pane, delete SirCam.
4. Find HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion \RunServices.
   In the right pane, find the key Driver32. Delete it.
5. Important Note: before the next step, deleting the virus, you must have done the registry edit, otherwise, you will not be able to run Windows programs, including Regedit. If you have accidently done this, the easy way to recover is to get a copy of SirC32.exe from another infected machine and copy it to the RECYCLED directory.
6. Using a file browser that can see hidden files, delete the file SirC32.exe from the RECYCLED directory (usually C:\RECYCLED).
7. Using a text editor, bring up the file \Autoexec.bat and look for the line
   @win \recycled\SirC32.exe. If it is there, delete it.
8. Reboot.
9. Run an up-to-date virus checker (virus definition file 17-Jul-01 or newer) set to disinfect. You may have to remove the hidden file \Windows\System\SCam32.exe by hand.

Backing up the Windows Registry

Many virus fixes require editing the Windows Registry. Due to the brain-dead nature of the Windows Registry, this is a dangerous thing to do, so it's best to back up the registry so it can be restored to its former state before editiing it.

Microsoft's instruction pages
Windows 95
Windows 98 and Windows Millennium Edition
Windows NT 4.0
Windows 2000
Windows XP

Windows95/98/Me - Regedit Method

1. From Start/Run, run regedit
2. In regedit click the Registry menu
   Click Export Registry File
3. Check that these items are selected:
   # Save in: Desktop
   # File name: RegistryBackup
   # Save as type: Registration Files
   # Export range: All
4. Click Save
   Exit from Regedit
5. Check that you have an icon labeled RegistryBackup.reg on the desktop.
   CAUTION: Double clicking this icon restores the registry to the condition before editing. Remove it from the desktop as soon as you are sure your registry edits are OK.

Windows 98/Me - Scanreg Method

1. Click Start / Shut Down. From the shutdown menu select Restart in MS-DOS Mode and click OK
2. At the DOS prompt type this command:
   scanreg /backup
   If the DOS prompt returns with no error messages, the registry is backed up.
3. Type win to restart Windows.

1. Restart in DOS mode as above.
2. Type the command:
   scanreg /restore
3. From the menu of registry backups, select the top one.
4. Type R to restore
5. Type win to restart Windows.

Windows 95 - Copy Method

1. Restart your computer and hit the F8 key just as Windows starts (before the graphic screen) to get the startup menu.
2. Select Safe Mode Command Prompt Only
3. At the command prompt, type these commands:
   cd windows
   attrib -r -h -s system.dat
   attrib -r -h -s user.dat
   copy system.dat system.bu
   copy user.dat user.bu
4. Reboot normally

1. Start Control Panel Start / Settings / Control Panel and double click the System icon.
2. Select the Performance tab, then select Filesystem
3. Select the Troubleshooting tab, then click on the box labeled Disable System Restore to set a checkmark
4. Click on the Apply button, then OK your way out of System. Close the Control Panel window and reboot.

1. Click Start, Right-click My Computer, and then click Properties.
2. Select the System Restore tab.
   Click on the box next to Turn off System Restore to set a check mark, and click Apply.
3. Answer Yes in the warning box
4. OK your way out of properties
5. Reboot