F-Prot Antivirus with the latest signature files can detect the Nimda.A
worm. Full disinfection of the worm requires on the other hand some
manual attention. To disinfect the worm and restore security of affected computers, please follow these instructions:
1. Update the virus signature files. Information on how to update can be found at the F-Prot support page.
2. Temporarily disable the network. This is necessary since the worm uses the network to spread itself.
4.Delete all infected copies of .EML and .NWS files (normally 79 KB in size). Note that you might have clean EML files as well, for example if you've saved e-mails to file from Outlook Express.
5.Replace RICHED20.DLL in the Windows System directory (typically C:\WINDOWS\SYSTEM or C:\WINNT\SYSTEM32) with a clean copy that can either be retrived from the original Windows CD or another computer that's running the same operating system
6. Locate SYSTEM.INI file in your Windows directory and open it with a text editor. Replace the string: "shell=explorer.exe load.exe
-donotloadold" with: "shell=explorer.exe" string.
7.Delete all .TMP files from your local temporary directories.
8. Delete all shares and put them back on with the correct access right. The virus affects shares security.
9. Remove the 'Guest' account and renew it with correct access rights. Remove the guest account from the administrators group. You should consider whether you need to have the guest account enabled. If you do not then you should disable the guest account
10. Correct Windows Explorer's settings concerning displaying of hidden files and certain extensions if necessary, as the worm makes Explorer to hide certain files and extensions.
11. Restore network connections only after all workstations are disinfected or the worm will re-infect already clean computers.