Anti-Nimda Virus Scanner and Cleaner with IIS Invulnerability Filter

Environment: VC6, 95/98/NT/2000

PROJECT 1: Nimda Virus Scanner & Cleaner

Pardon the lack of special features in this program. I shotgun coded it overnight when the nimda virus went wild and the big-shot virus scanners didnt have any (clean enabled) virus definitions. I find it still works better than McAfee, F-prot and Norton AV at cleaning the nimda virus.

PROJECT 2: IIS Vulnerability Filter Patch

The second project in the workspace is an Internet Information Server (IIS) Filter that patches the invulnerability in IIS that lets the nimda virus run wild. For a reason I cant figure out the patch recommended by microsoft did not patch the invulnerability and our servers continued to get infected. This filter DLL once installed returns an 'Internal Server Error' to anyone attempting to take advantage of the vulnerability. To install double-click on the nimda-filter.req file. This sets the registry key:
   'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Filter DLLs'
       to
   'c:\winnt\system32\inetsrv\nimdafilter.dll'.
Set this key value manually if you have installed your IIS server in a different directory than specified above.

REMOVAL INSTRUCTIONS for Nimba Virus:

If you are using anti-nimda to clean an infected computer follow these instructions:

  • 1. Run Anti-Nimba on all drives (specify, 'C:', 'D:', etc.)
  • 2. Reboot the computer.
  • 3. Repeat steps 1-2 above until no more files are detected.
  • 4. Delete the following text from the Shell= entry in system.ini: load.exe -dontrunold
  • 5. Remove unnecessary shares. (check all local drives under 'My Computer')
  • 6. Delete the guest account from the Administrators group (if applicable - NT or Win2000)

SOURCE CODE:

In the great name of GNU you are free to run the program and use the source code as you wish. All I ask is that my name remains in the about box and you forward any changes to me; I would like to keep an updated copy for all. The source code is written in a way that could be adpated to other virus definitions, Here is a short description of the C++ classes:


CVirusCleaner

  • VirusCleaner.h
  • VirusCleaner.cpp

    The workhorse of the virus scanner. Given a starting root directory it creates a thread that recurses through all directories and scans files for virus signatures. When a signature is found within a file that could possibly be infected this class passes the file onto the custom virus killer class that deals with it (scan, clean or delete). This class also holds the scan statistics of the scan.


VirusKiller

  • VirusCleaner.h
  • VirusCleaner.cpp

    This class is (basically) an abstract class that defines the interface for a virus killer. A virus killer holds the virus definition (name, signature, etc) and has the code to handle an infected file, (in-depth scan, clean or delete). Creating a new virus killer would entail subclassing this class and providing the virus name, associated extensions (or all), signature (if any), and a 'virtual SCANRESULT Clean()' method to handle an infected file. The Clean() function should return whether it only scanned, cleaned or deleted the file.


w32_nimda_a, w32_nimda_b, w32_nimda_c

  • w32_nimda.h
  • w32_nimda.cpp

    These three files make up the total definition for the nimbda virus. Version 'a' cleans 'exe' and 'dll' files, version 'b' cleans 'htm', 'html', and 'asp' files, and finally version 'c' simply deletes all '*.eml' and '*.nws' files.


CNimdaDlg

  • NimbdaDlg.h
  • NimbdaDlg.cpp

    Dialog (visual interface) for the anti-nimda virus killer. Starts the CVirusKiller thread and creates a windows timer to update statistics from the CVirusKiller object. Very simple interface.


CServiceThread

  • ServiceThread.h
  • ServiceThread.cpp

    impliments threading for general servicing type threads. A class I generally use when creating worker threads. All that is needed is to override 'virtual void run()' and the Start(), Stop() Pause() and Continue() are already implimented.


CProperty

  • Property.h
  • Property.cpp

    Used in CServiceThread as a way for a worker thread to recieve input/start parameters.


CNimdaFilter

  • NimdaFilter.h
  • NimdaFilter.cpp

    Contains the IIS filter for nimda filter. The most relevant code (i.e. not produced by the ISAPI Extension Wizard) is contained in 'CNimdaFilter::OnUrlMap'. This method is called when IIS is mapping a URL passed by a browser to a filename on the local machine. If the file part of the url contains the percent (%) character, constituting a malformed URL, an error is returned and the client is disconnected. An entry to the nimda filter log is made logging the clients IP address, time of attack and the malformed part of the URL.

Downloads

Download demo project - 23 Kb
Download source - 140 Kb


Comments

  • Conversion

    Posted by Bizzo on 09/24/2007 09:13am

    Can you covert to vb.net. If so do it for me to understand the code

    Reply
  • consult code

    Posted by Legacy on 07/12/2002 12:00am

    Originally posted by: gustavo

    Dear Paul Kimmel:

    Do you know where i can find code in visual basic about antivirus for melissa?

    Thanks you.

    Goodbye

    Reply
  • Awesome!

    Posted by Legacy on 05/27/2002 12:00am

    Originally posted by: engineerdude

    Just wanted to give props to the author of this program. It worked perfectly (so far so good) removing the Nimba virus. I really thought I was going to have to wipe the hard disk to get rid of the infection, but this seems to have taken care of the problem.

    Mucho gracias!

    Reply
Leave a Comment
  • Your email address will not be published. All fields are required.

Top White Papers and Webcasts

  • This paper introduces IBM Java on the IBM PowerLinux 7R2 server and describes IBM's implementation of the Java platform, which includes IBM's Java Virtual Machine and development toolkit.

  • Get Gartner's NEW Magic Quadrant for Solid-State Arrays. Selecting new storage or just researching? Simplify your vendor evaluation with Gartner's 2014 Magic Quadrant for Solid-State Arrays. This report covers: Strengths & cautions for 12 vendors Assessment of each vendor's completeness of vision and ability to execute Key criteria for evaluating Solid-State Array vendors

Most Popular Programming Stories

More for Developers

Latest Developer Headlines

RSS Feeds