Removing worms1. Using Enterprise Console2. Sophos Anti-Virus for Windows, version 63. Sophos Anti-Virus for Windows, version 54. Sophos Anti-Virus for Windows NT, version 4.5x, and Sophos Anti-Virus for Windows NT/2000/XP/2003, version 4.1x and lower5. Windows 95/98/Me6. Macintosh OS X computers7. DOS8. OS/29. NetWare10. Linux11. UNIX12.OpenVMS
Worms infect computers, but do not infect files. They can simply be identified and deleted. However, they often make registry or startup file changes so that they are executed on boot-up. Check the threat analysis for details of such behavior.
1. Using Enterprise Console
You can remove worms over a network using Enterprise Console.
2. Sophos Anti-Virus for Windows, version 6
To remove a Worm:
Close down all programs.
Go to StartProgramsSophos Anti-Virus and run the 'Sophos Anti-Virus' program.
In the 'Available scans' list, select the scan for which you want to enable disinfection. (Do not select a scheduled scan, as you will not be able to run this manually.)
Click EditConfigure this Scan.
Select the Cleanup tab and select 'Automatically clean up items that contain a virus'. Click ApplyOK.
Click 'Save and Start' to save the scan, and run it immediately.
Click 'OK' when asked if files should be deleted.
Run another scan to ensure that the virus has been removed.
Click EditConfigure this Scan.
Select the Cleanup tab and deselect select 'Automatically clean up imtems that contain a virus'. Click ApplyOK
If Sophos Anti-Virus cannot delete files because they are held open by the operating system, make a note of the names of the files, then do as follows.
Download an emergency copy of SAV32CLI. On an uninfected Windows computer, run this file to extract the contents into a SAV32CLI folder on a medium that can be write-protected. Copy the SAV32CLI folder produced onto a medium that can be write-protected. Add any relevant IDEs to this folder and write-protect the disk (on a CD/R or CD/RW close the session).
Restart the computer in Safe Mode. Go to StartShut Down. Select 'Restart' from the dropdown list and click 'OK'. Windows will restart. Press F8 when you see the following text at the bottom of the screen "For troubleshooting and advanced startup options for Windows 2000, press F8". In the Windows 2000 Advanced Options Menu, select the third option 'Safe Mode with Command Prompt'.
At the infected computer, place the CD in the CD drive (D: in this example).At the command prompt type
D:to access the CD drive. Type:
CD SAV32CLIThen type:
SAV32CLI -REMOVE -P=C:\LOGFILE.TXTto remove the Worm.
Before leaving Safe Mode, edit any registry entries mentioned in the Worm analysis recovery instructions. If problems persist, contact support.
3. Sophos Anti-Virus for Windows, version 5
To remove a Worm:
Close down all programs.
Go to StartProgramsSophos Anti-Virus and run the 'Sophos Anti-Virus' program.
In the 'Available scans' list, select the scan for which you want to enable disinfection. (Do not select a scheduled scan, as you will not be able to run this manually.)
Click EditConfigure this Scan.
Select the Disinfection tab and select 'Delete'. Click ApplyOK.
Click 'Save and Start' to save the scan, and run it immediately.
Click 'OK' when asked if files should be deleted.
Run another scan to ensure that the virus has been removed.
Click EditConfigure this Scan.
Select the Disinfection tab and deselect 'Delete'. Click ApplyOK
If Sophos Anti-Virus cannot delete files because they are held open by the operating system, make a note of the names of the files, then do as follows.
Download an emergency copy of SAV32CLI. On an uninfected Windows computer, run this file to extract the contents into a SAV32CLI folder on a medium that can be write-protected. Copy the SAV32CLI folder produced onto a medium that can be write-protected. Add any relevant IDEs to this folder and write-protect the disk (on a CD/R or CD/RW close the session).
Restart the computer in Safe Mode. Go to StartShut Down. Select 'Restart' from the dropdown list and click 'OK'. Windows will restart. Press F8 when you see the following text at the bottom of the screen "For troubleshooting and advanced startup options for Windows 2000, press F8". In the Windows 2000 Advanced Options Menu, select the third option 'Safe Mode with Command Prompt'.
At the infected computer, place the CD in the CD drive (D: in this example).At the command prompt type
D:to access the CD drive. Type:
CD SAV32CLIThen type:
SAV32CLI -REMOVE -P=C:\LOGFILE.TXTto remove the Worm.
Before leaving Safe Mode, edit any registry entries mentioned in the Worm analysis recovery instructions. If problems persist, contact support.
4. Sophos Anti-Virus for Windows NT, version 4.5x, and Sophos Anti-Virus for Windows NT/2000/XP/2003, version 4.1x and lower
To remove a Worm:
Check the threat analysis for details on the Worm and its removal.
Close down all programs.
Go to StartProgramsSophos Anti-Virus and run the Sophos Anti-Virus program.
Select the 'Immediate' tab then select the relevant drive.
Go to OptionsConfiguration. Select the 'Disinfection' or 'Action' tab, (according to what is displayed in your window), select 'Infected files', select 'Delete' then click 'OK'.
Click the green 'scan' arrow, or the 'GO' button (as appropriate) to run the scan.
Delete the files. Run another scan to check it has gone.
Go back to OptionsConfiguration... select the 'Disinfection' or Action tab, then deselect 'Delete'. Click 'OK'.
Reboot and run a final scan to be certain it has gone.
If Sophos Anti-Virus cannot delete files because they are held open by the operating system, make a note of the names of the files, then do as follows.
Windows NT
Download an emergency copy of SAV32CLI. On an uninfected Windows computer, run this file to extract the contents into a SAV32CLI folder on a medium that can be write-protected. Copy the SAV32CLI folder produced onto a medium that can be write-protected. Add any relevant IDEs to this folder and write-protect the disk (on a CD/R or CD/RW close the session).
Shut down all programs.
Go to StartSettingsControl Panel and double-click 'Services'. Stop as many services as possible using the Stop button. Close and shut down the Control Panel.
Press the Ctrl, Alt and Del keys at the same time. Click 'Task Manager' and select the Processes tab. Select a process and click on 'End Process'. It may or may not end. Repeat this for other processes (including the Windows desktop).
After closing all possible programs go to FileNew Task (Run) and type 'Cmd'.
Close down the Task Manager screen.
Place the CD in the CD drive (D: in this example).At the command prompt type
D:to access the CD drive. Type:
CD SAV32CLIThen type:
SAV32CLI -REMOVE -P=C:\LOGFILE.TXTto remove the worm.
If worm removal has succeeded, edit any registry entries mentioned in the worm analysis recovery instructions.
If problems persist , contact support.
Windows 2000/XP/2003
Download an emergency copy of SAV32CLI. On an uninfected Windows computer, run this file to extract the contents into a SAV32CLI folder on a medium that can be write-protected. Add any relevant IDEs to this folder and write-protect the disk (on a CD/R or CD/RW close the session).
Restart the computer in Safe Mode. Go to StartShut Down. Select 'Restart' from the dropdown list and click 'OK'. Windows will restart. Press F8 when you see the following text at the bottom of the screen "For troubleshooting and advanced startup options for Windows 2000, press F8". In the Windows 2000 Advanced Options Menu, select the third option 'Safe Mode with Command Prompt'.
At the infected computer, place the CD in the CD drive (D: in this example).At the command prompt type
D:to access the CD drive. Type:
CD SAV32CLIThen type:
SAV32CLI -REMOVE -P=C:\LOGFILE.TXTto remove the worm.
Before leaving Safe Mode, edit any registry entries mentioned in the worm analysis recovery instructions.
If problems persist, contact support.
5. Windows 95/98/Me
To remove a Worm:
Check the threat analysis for details on the Worm and its removal.
Close down all programs.
Go to StartProgramsSophos Anti-Virus and run the Sophos Anti-Virus program.
Select the Immediate tab.
Go to OptionsConfiguration. Select the 'Disinfection' or the 'Action' tab, (according to what is displayed in your window) select 'Infected files', select 'Delete' then click 'OK'.
Click the green 'scan' arrow, or the 'GO' button (as appropriate) to run the scan.
Delete the files. Run another scan to check it has gone.
Go back to OptionsConfiguration. Select the 'Disinfection' or the 'Action' tab, then deselect 'Infected files' and 'Delete'. Click 'OK'.
Reboot and run a final scan to be certain it has gone. If the worm cannot be removed because the files are held open by the operating system:
Reboot the computer from a clean startup or system disk.
Delete the worm files manually or using the DOS instructions.
6. Macintosh OS X computers
To remove a worm:
Check the threat analysis for details on the worm and its removal.
Close down all programs.
Run the Sophos Anti-Virus program.
Go to 'Sophos Anti-Virus preferences'.
Choose 'Disinfection' from the 'Immediate Mode' menu.
Select 'Infected Files' and 'Delete'.
Close 'Sophos Anti-Virus preferences'.
Click the green 'Play' arrow button.
Click 'OK' when asked if files should be deleted.
Run another scan to ensure that the worm has been removed.
Go back to 'Virus Action' and deselect 'Infected Files' and 'Delete'.
If problems persist, contact support.
7. DOS
You will need SWEEP for DOS on floppy disk. To do this, make a set of Emergency SAV disks.
Check the threat analysis for details on the worm and its removal.
Reboot your PC from a clean system disk, put the SWEEP for DOS disk in the floppy drive and at the A: prompt type:
SWEEP *: -REMOVEF
8. OS/2
Check the threat analysis for details on the worm and its removal.
For drive C: at a command prompt typeOSWEEP C: -REMOVEF
Run a scan to check that all worm files were deleted.
If infection persists, disinfect in stand-alone mode:
If OS/2 is running, shut it down.
Boot OS/2 from the OS/2 Utility disk set. Follow the on-screen instructions. When booting has finished the A: prompt appears.
Remove the OS/2 Utility disk.
Place the Emergency OSWEEP disk in drive A:.
For drive C: at the A: command prompt typeOSWEEP C: -REMOVEF -CI(-REMOVEF deletes the infected files, -CI checks the integrity of SWEEP on the 'Emergency OSWEEP' disk.) The computer checks program integrity then asks for the virus data disk. Replace the Emergency OSWEEP disk with the virus data disk.
After disinfection, run another scan to check that all worm files were deleted.
If problems persist, contact support.
9. NetWare
Note: This will delete any documents infected with macro viruses. Deal with them first.
Check the threat analysis for details on the worm and its removal.
Run a scan to locate all worm files.
Select 'Delete' in the 'Removal mode' option of the Immediate Mode menu.
Delete the worm files.
10. Linux
Check the threat analysis for details on the worm and its removal.
Use savscan with the -remove option
savscan -remove
Run a scan to check that worm files were deleted.
11. UNIX
Check the threat analysis for details on the worm and its removal.
Use SWEEP with the -remove option
sweep -remove
Run a scan to check that all worm files were deleted.
15. OpenVMS
Check the threat analysis for details on the worm and its removal.
Delete the worm files by running VSWEEP from DCL using the command line qualifier '/REMOVEF'.
Note: '/REMOVEF' does not prompt for confirmation before deletion and should be used with caution.
For details on the use of these command line qualifiers and sample batch files using them, see the Sophos Anti-Virus for OpenVMS manual.
(Source http://www.sophos.com/security/analyses/w32sillyfdct.html)
Worms infect computers, but do not infect files. They can simply be identified and deleted. However, they often make registry or startup file changes so that they are executed on boot-up. Check the threat analysis for details of such behavior.
1. Using Enterprise Console
You can remove worms over a network using Enterprise Console.
2. Sophos Anti-Virus for Windows, version 6
To remove a Worm:
Close down all programs.
Go to StartProgramsSophos Anti-Virus and run the 'Sophos Anti-Virus' program.
In the 'Available scans' list, select the scan for which you want to enable disinfection. (Do not select a scheduled scan, as you will not be able to run this manually.)
Click EditConfigure this Scan.
Select the Cleanup tab and select 'Automatically clean up items that contain a virus'. Click ApplyOK.
Click 'Save and Start' to save the scan, and run it immediately.
Click 'OK' when asked if files should be deleted.
Run another scan to ensure that the virus has been removed.
Click EditConfigure this Scan.
Select the Cleanup tab and deselect select 'Automatically clean up imtems that contain a virus'. Click ApplyOK
If Sophos Anti-Virus cannot delete files because they are held open by the operating system, make a note of the names of the files, then do as follows.
Download an emergency copy of SAV32CLI. On an uninfected Windows computer, run this file to extract the contents into a SAV32CLI folder on a medium that can be write-protected. Copy the SAV32CLI folder produced onto a medium that can be write-protected. Add any relevant IDEs to this folder and write-protect the disk (on a CD/R or CD/RW close the session).
Restart the computer in Safe Mode. Go to StartShut Down. Select 'Restart' from the dropdown list and click 'OK'. Windows will restart. Press F8 when you see the following text at the bottom of the screen "For troubleshooting and advanced startup options for Windows 2000, press F8". In the Windows 2000 Advanced Options Menu, select the third option 'Safe Mode with Command Prompt'.
At the infected computer, place the CD in the CD drive (D: in this example).At the command prompt type
D:to access the CD drive. Type:
CD SAV32CLIThen type:
SAV32CLI -REMOVE -P=C:\LOGFILE.TXTto remove the Worm.
Before leaving Safe Mode, edit any registry entries mentioned in the Worm analysis recovery instructions. If problems persist, contact support.
3. Sophos Anti-Virus for Windows, version 5
To remove a Worm:
Close down all programs.
Go to StartProgramsSophos Anti-Virus and run the 'Sophos Anti-Virus' program.
In the 'Available scans' list, select the scan for which you want to enable disinfection. (Do not select a scheduled scan, as you will not be able to run this manually.)
Click EditConfigure this Scan.
Select the Disinfection tab and select 'Delete'. Click ApplyOK.
Click 'Save and Start' to save the scan, and run it immediately.
Click 'OK' when asked if files should be deleted.
Run another scan to ensure that the virus has been removed.
Click EditConfigure this Scan.
Select the Disinfection tab and deselect 'Delete'. Click ApplyOK
If Sophos Anti-Virus cannot delete files because they are held open by the operating system, make a note of the names of the files, then do as follows.
Download an emergency copy of SAV32CLI. On an uninfected Windows computer, run this file to extract the contents into a SAV32CLI folder on a medium that can be write-protected. Copy the SAV32CLI folder produced onto a medium that can be write-protected. Add any relevant IDEs to this folder and write-protect the disk (on a CD/R or CD/RW close the session).
Restart the computer in Safe Mode. Go to StartShut Down. Select 'Restart' from the dropdown list and click 'OK'. Windows will restart. Press F8 when you see the following text at the bottom of the screen "For troubleshooting and advanced startup options for Windows 2000, press F8". In the Windows 2000 Advanced Options Menu, select the third option 'Safe Mode with Command Prompt'.
At the infected computer, place the CD in the CD drive (D: in this example).At the command prompt type
D:to access the CD drive. Type:
CD SAV32CLIThen type:
SAV32CLI -REMOVE -P=C:\LOGFILE.TXTto remove the Worm.
Before leaving Safe Mode, edit any registry entries mentioned in the Worm analysis recovery instructions. If problems persist, contact support.
4. Sophos Anti-Virus for Windows NT, version 4.5x, and Sophos Anti-Virus for Windows NT/2000/XP/2003, version 4.1x and lower
To remove a Worm:
Check the threat analysis for details on the Worm and its removal.
Close down all programs.
Go to StartProgramsSophos Anti-Virus and run the Sophos Anti-Virus program.
Select the 'Immediate' tab then select the relevant drive.
Go to OptionsConfiguration. Select the 'Disinfection' or 'Action' tab, (according to what is displayed in your window), select 'Infected files', select 'Delete' then click 'OK'.
Click the green 'scan' arrow, or the 'GO' button (as appropriate) to run the scan.
Delete the files. Run another scan to check it has gone.
Go back to OptionsConfiguration... select the 'Disinfection' or Action tab, then deselect 'Delete'. Click 'OK'.
Reboot and run a final scan to be certain it has gone.
If Sophos Anti-Virus cannot delete files because they are held open by the operating system, make a note of the names of the files, then do as follows.
Windows NT
Download an emergency copy of SAV32CLI. On an uninfected Windows computer, run this file to extract the contents into a SAV32CLI folder on a medium that can be write-protected. Copy the SAV32CLI folder produced onto a medium that can be write-protected. Add any relevant IDEs to this folder and write-protect the disk (on a CD/R or CD/RW close the session).
Shut down all programs.
Go to StartSettingsControl Panel and double-click 'Services'. Stop as many services as possible using the Stop button. Close and shut down the Control Panel.
Press the Ctrl, Alt and Del keys at the same time. Click 'Task Manager' and select the Processes tab. Select a process and click on 'End Process'. It may or may not end. Repeat this for other processes (including the Windows desktop).
After closing all possible programs go to FileNew Task (Run) and type 'Cmd'.
Close down the Task Manager screen.
Place the CD in the CD drive (D: in this example).At the command prompt type
D:to access the CD drive. Type:
CD SAV32CLIThen type:
SAV32CLI -REMOVE -P=C:\LOGFILE.TXTto remove the worm.
If worm removal has succeeded, edit any registry entries mentioned in the worm analysis recovery instructions.
If problems persist , contact support.
Windows 2000/XP/2003
Download an emergency copy of SAV32CLI. On an uninfected Windows computer, run this file to extract the contents into a SAV32CLI folder on a medium that can be write-protected. Add any relevant IDEs to this folder and write-protect the disk (on a CD/R or CD/RW close the session).
Restart the computer in Safe Mode. Go to StartShut Down. Select 'Restart' from the dropdown list and click 'OK'. Windows will restart. Press F8 when you see the following text at the bottom of the screen "For troubleshooting and advanced startup options for Windows 2000, press F8". In the Windows 2000 Advanced Options Menu, select the third option 'Safe Mode with Command Prompt'.
At the infected computer, place the CD in the CD drive (D: in this example).At the command prompt type
D:to access the CD drive. Type:
CD SAV32CLIThen type:
SAV32CLI -REMOVE -P=C:\LOGFILE.TXTto remove the worm.
Before leaving Safe Mode, edit any registry entries mentioned in the worm analysis recovery instructions.
If problems persist, contact support.
5. Windows 95/98/Me
To remove a Worm:
Check the threat analysis for details on the Worm and its removal.
Close down all programs.
Go to StartProgramsSophos Anti-Virus and run the Sophos Anti-Virus program.
Select the Immediate tab.
Go to OptionsConfiguration. Select the 'Disinfection' or the 'Action' tab, (according to what is displayed in your window) select 'Infected files', select 'Delete' then click 'OK'.
Click the green 'scan' arrow, or the 'GO' button (as appropriate) to run the scan.
Delete the files. Run another scan to check it has gone.
Go back to OptionsConfiguration. Select the 'Disinfection' or the 'Action' tab, then deselect 'Infected files' and 'Delete'. Click 'OK'.
Reboot and run a final scan to be certain it has gone. If the worm cannot be removed because the files are held open by the operating system:
Reboot the computer from a clean startup or system disk.
Delete the worm files manually or using the DOS instructions.
6. Macintosh OS X computers
To remove a worm:
Check the threat analysis for details on the worm and its removal.
Close down all programs.
Run the Sophos Anti-Virus program.
Go to 'Sophos Anti-Virus preferences'.
Choose 'Disinfection' from the 'Immediate Mode' menu.
Select 'Infected Files' and 'Delete'.
Close 'Sophos Anti-Virus preferences'.
Click the green 'Play' arrow button.
Click 'OK' when asked if files should be deleted.
Run another scan to ensure that the worm has been removed.
Go back to 'Virus Action' and deselect 'Infected Files' and 'Delete'.
If problems persist, contact support.
7. DOS
You will need SWEEP for DOS on floppy disk. To do this, make a set of Emergency SAV disks.
Check the threat analysis for details on the worm and its removal.
Reboot your PC from a clean system disk, put the SWEEP for DOS disk in the floppy drive and at the A: prompt type:
SWEEP *: -REMOVEF
8. OS/2
Check the threat analysis for details on the worm and its removal.
For drive C: at a command prompt typeOSWEEP C: -REMOVEF
Run a scan to check that all worm files were deleted.
If infection persists, disinfect in stand-alone mode:
If OS/2 is running, shut it down.
Boot OS/2 from the OS/2 Utility disk set. Follow the on-screen instructions. When booting has finished the A: prompt appears.
Remove the OS/2 Utility disk.
Place the Emergency OSWEEP disk in drive A:.
For drive C: at the A: command prompt typeOSWEEP C: -REMOVEF -CI(-REMOVEF deletes the infected files, -CI checks the integrity of SWEEP on the 'Emergency OSWEEP' disk.) The computer checks program integrity then asks for the virus data disk. Replace the Emergency OSWEEP disk with the virus data disk.
After disinfection, run another scan to check that all worm files were deleted.
If problems persist, contact support.
9. NetWare
Note: This will delete any documents infected with macro viruses. Deal with them first.
Check the threat analysis for details on the worm and its removal.
Run a scan to locate all worm files.
Select 'Delete' in the 'Removal mode' option of the Immediate Mode menu.
Delete the worm files.
10. Linux
Check the threat analysis for details on the worm and its removal.
Use savscan with the -remove option
savscan -remove
Run a scan to check that worm files were deleted.
11. UNIX
Check the threat analysis for details on the worm and its removal.
Use SWEEP with the -remove option
sweep -remove
Run a scan to check that all worm files were deleted.
15. OpenVMS
Check the threat analysis for details on the worm and its removal.
Delete the worm files by running VSWEEP from DCL using the command line qualifier '/REMOVEF'.
Note: '/REMOVEF' does not prompt for confirmation before deletion and should be used with caution.
For details on the use of these command line qualifiers and sample batch files using them, see the Sophos Anti-Virus for OpenVMS manual.
(Source http://www.sophos.com/security/analyses/w32sillyfdct.html)
Comments