Mike's Virusinfo Worm Removal

From: SOPHOS Removing worms

1. Removing worms in Windows 95/98/Me
2. Removing worms in Windows NT/2000/XP/2003
3. Removing worms on Macintosh computers
4. Removing worms in DOS
5. Removing worms in OS/2
6. Removing worms in NetWare
7. Removing worms in Unix
8. Removing worms in OpenVMS

Worms infect computers, but do not infect files. They can simply be identified and deleted. However, they often make registry or startup file changes so that they are executed on boot-up. Check the virus analysis for details of such behaviour.

1. Removing worms in Windows 95/98/Me

To remove the worm

• Check the virus analysis for details on the worm and its removal.
• Go to Start|Programs|Sophos Anti-Virus and run the 'Sophos Anti-Virus' program.
• Select the 'Immediate' tab.
• Go to Options|Configuration... select the 'Action' tab, tick 'Infected files', select 'Delete' then click 'OK'.
• Click the 'Go' button on the toolbar to start the scan.
• Delete the files. Run another scan to check it has gone.
• Go back to Options|Configuration... select the 'Action' tab, then deselect 'Infected files' and 'Delete'. Click 'OK'.
• Reboot and run a final scan to be certain it has gone.

If the worm cannot be removed because the files are held open by the operating system:

• Reboot the computer from a clean startup or system disk.
• Delete the worm files manually or using the DOS instructions.

2. Removing worms in Windows NT/2000/XP/2003

To remove the worm

• Check the virus analysis for details on the worm and its removal.
• Close down all programs.
• Go to Start|Programs|Sophos Anti-Virus and run the 'Sophos Anti-Virus' program.
• Select the 'Immediate' tab.
• Go to Options|Configuration... select the 'Action' tab, tick 'Infected files', select 'Delete' then click 'OK'.
• Click the 'Go' button on the toolbar to start the scan.
• Delete the files. Run another scan to check it has gone.
• Go back to Options|Configuration... select the 'Action' tab, then deselect 'Infected files' and 'Delete'. Click 'OK'.
• Reboot and run a final scan to be certain it has gone.

If Sophos Anti-Virus cannot delete files because they are held open by the operating system, make a note of the names of the files, then do as follows.

• Windows 2000/XP/2003
  1. Download the most recent virus identity (IDE) files and save them to floppy disk. Write-protect the floppy disk.
  2. Restart the computer in Safe Mode. Go to Start|Shut Down. Select Restart from the drop down list and click OK. Windows will restart. Press F8 when you see the following text at the bottom of the screen "For troubleshooting and advanced startup options for Windows 2000, press F8". In the Windows 2000 Advanced Options Menu select the third option 'Safe Mode with Command Prompt'.
  3. Either run SAV32CLI from the Sophos CD or download an emergency copy of SAV32CLI on an uninfected computer, extract it and write it to CD.
  4. At the infected computer, place the CD in the CD drive (D: in this example) and the floppy disk with the IDEs in the floppy disk drive (A: in this example).
     At the command prompt type

     D:

     to access the CD drive. If you are using the Sophos CD, type:

     CD WIN32\I386\SAV32CLI

     if you are using a SAV32CLI download disk, type:

     CD SAV32CLI

     Then type:

     SAV32CLI -IDEDIR=A:\ -REMOVEF -P=C:\LOGFILE.TXT

     to remove the worm.
  5. Before leaving Safe Mode edit any registry entries mentioned in the worm analysis recovery instructions.
  6. If problems persist contact support.
• Windows NT
  1. Download the most recent virus identity (IDE) files and save them to floppy disk. Write-protect the floppy disk.
  2. Either use SAV32CLI from the Sophos CD or download an emergency copy of SAV32CLI on an uninfected computer, extract it and write it to CD.
  3. Shut down all programs.
  4. Go to Start|Settings|Control Panel and double-click Services. Stop as many services as possible using the Stop button. Close and shut down the Control Panel.
  5. Press the Ctrl, Alt and Del keys at the same time. Click 'Task Manager' and select the Processes tab. Select a process and click on End Process. It may or may not end. Repeat this for other processes (including the Windows desktop).
  6. After closing all possible programs go to File|New Task (Run) and type 'Cmd'.
  7. Close down the Task Manager screen.
  8. Place the CD in the CD drive (D: in this example) and the floppy disk with the IDEs in the floppy disk drive (A: in this example).
     At the command prompt type

     D:

     to access the CD drive. If you are using the Sophos CD, type:

     CD WIN32\I386\SAV32CLI

     if you are using a SAV32CLI download disk, type:

     CD SAV32CLI

     Then type:

     SAV32CLI -IDEDIR=A:\ -REMOVEF -P=C:\LOGFILE.TXT

     to remove the worm.
  9. If worm removal has succeeded, edit any registry entries mentioned in the worm analysis recovery instructions.
  10. If problems persist contact support.

3. Removing worms on Macintosh computers

• Check the virus analysis for details on the worm and its removal.
• Close down all programs.
• Run the 'Sophos Anti-Virus' program.
• Go to Edit|Preferences.
• Choose Virus Action from the Immediate Mode menu.
• Select Infected Files and Delete.
• Close SAV Preferences.
• Click on the Go button.
• Click 'OK' when asked if files should be deleted.
• Run another scan to ensure that the worm has been removed.
• Go back to Virus Action and deselect Infected Files and Delete.

If problems with the worm persist then contact support.

4. Removing worms in DOS

You will need SWEEP for DOS on floppy disk. To do this make a set of Emergency SAV disks.

• Check the virus analysis for details on the worm and its removal.
• Reboot your PC from a clean system disk, put the 'SWEEP for DOS' disk in the floppy drive and at the A: prompt type:
  

  SWEEP *: -REMOVEF

5. Removing worms in OS/2

To delete infected files:

• Check the virus analysis for details on the worm and its removal.
• For drive C: at a command prompt type
  OSWEEP C: -REMOVEF
• Run a scan to check that all worm files were deleted.

If infection persists disinfect in stand-alone mode:

• If OS/2 is running, shut it down.
• Boot OS/2 from the OS/2 Utility disk set. Follow the on-screen instructions. When booting has finished the A: prompt appears.
• Remove the OS/2 Utility disk.
• Place the 'Emergency OSWEEP' disk in drive A:.
• For drive C: at the A: command prompt type
  OSWEEP C: -REMOVEF -CI
  (-REMOVEF deletes the infected files, -CI checks the integrity of SWEEP on the 'Emergency OSWEEP' disk). The computer checks program integrity then asks for the virus data disk. Replace the 'Emergency OSWEEP' disk with the virus data disk.
• After disinfection, run another scan to check that all worm files were deleted.

If problems persist contact support.

6. Removing worms in NetWare

Worm files should be deleted.

Note: This will delete any documents infected with macro viruses. Deal with them first.

• Check the virus analysis for details on the worm and its removal.
• Run a scan to locate all worm files.
• Select 'Delete' in the 'Removal mode' option of the 'Immediate mode' menu.
• Delete the worm files.

7. Removing worms in Unix

To delete worm files:

• Check the virus analysis for details on the worm and its removal.
• Use SWEEP with the -remove option
  

  sweep -remove

• Run a scan to check that all worm files were deleted.

8. Removing worms in OpenVMS

To delete worm files:

• Check the virus analysis for details on the worm and its removal.
• Delete the worm files by running VSWEEP from DCL using the command line qualifier '/REMOVEF'.
• 
  Note: '/REMOVEF' does not prompt for confirmation before deletion and should be used with caution.

For details on the use of these command line qualifiers and sample batch files using them, see the Sophos Anti-Virus for OpenVMS manual.