Anti-Nimda Virus Scanner and Cleaner with IIS Invulnerability Filter

Environment: VC6, 95/98/NT/2000

PROJECT 1: Nimda Virus Scanner & Cleaner

Pardon the lack of special features in this program. I shotgun coded it overnight when the nimda virus went wild and the big-shot virus scanners didnt have any (clean enabled) virus definitions. I find it still works better than McAfee, F-prot and Norton AV at cleaning the nimda virus.

PROJECT 2: IIS Vulnerability Filter Patch

The second project in the workspace is an Internet Information Server (IIS) Filter that patches the invulnerability in IIS that lets the nimda virus run wild. For a reason I cant figure out the patch recommended by microsoft did not patch the invulnerability and our servers continued to get infected. This filter DLL once installed returns an 'Internal Server Error' to anyone attempting to take advantage of the vulnerability. To install double-click on the nimda-filter.req file. This sets the registry key:
   'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Filter DLLs'
Set this key value manually if you have installed your IIS server in a different directory than specified above.


If you are using anti-nimda to clean an infected computer follow these instructions:

  • 1. Run Anti-Nimba on all drives (specify, 'C:', 'D:', etc.)
  • 2. Reboot the computer.
  • 3. Repeat steps 1-2 above until no more files are detected.
  • 4. Delete the following text from the Shell= entry in system.ini: load.exe -dontrunold
  • 5. Remove unnecessary shares. (check all local drives under 'My Computer')
  • 6. Delete the guest account from the Administrators group (if applicable - NT or Win2000)


In the great name of GNU you are free to run the program and use the source code as you wish. All I ask is that my name remains in the about box and you forward any changes to me; I would like to keep an updated copy for all. The source code is written in a way that could be adpated to other virus definitions, Here is a short description of the C++ classes:


  • VirusCleaner.h
  • VirusCleaner.cpp

    The workhorse of the virus scanner. Given a starting root directory it creates a thread that recurses through all directories and scans files for virus signatures. When a signature is found within a file that could possibly be infected this class passes the file onto the custom virus killer class that deals with it (scan, clean or delete). This class also holds the scan statistics of the scan.


  • VirusCleaner.h
  • VirusCleaner.cpp

    This class is (basically) an abstract class that defines the interface for a virus killer. A virus killer holds the virus definition (name, signature, etc) and has the code to handle an infected file, (in-depth scan, clean or delete). Creating a new virus killer would entail subclassing this class and providing the virus name, associated extensions (or all), signature (if any), and a 'virtual SCANRESULT Clean()' method to handle an infected file. The Clean() function should return whether it only scanned, cleaned or deleted the file.

w32_nimda_a, w32_nimda_b, w32_nimda_c

  • w32_nimda.h
  • w32_nimda.cpp

    These three files make up the total definition for the nimbda virus. Version 'a' cleans 'exe' and 'dll' files, version 'b' cleans 'htm', 'html', and 'asp' files, and finally version 'c' simply deletes all '*.eml' and '*.nws' files.


  • NimbdaDlg.h
  • NimbdaDlg.cpp

    Dialog (visual interface) for the anti-nimda virus killer. Starts the CVirusKiller thread and creates a windows timer to update statistics from the CVirusKiller object. Very simple interface.


  • ServiceThread.h
  • ServiceThread.cpp

    impliments threading for general servicing type threads. A class I generally use when creating worker threads. All that is needed is to override 'virtual void run()' and the Start(), Stop() Pause() and Continue() are already implimented.


  • Property.h
  • Property.cpp

    Used in CServiceThread as a way for a worker thread to recieve input/start parameters.


  • NimdaFilter.h
  • NimdaFilter.cpp

    Contains the IIS filter for nimda filter. The most relevant code (i.e. not produced by the ISAPI Extension Wizard) is contained in 'CNimdaFilter::OnUrlMap'. This method is called when IIS is mapping a URL passed by a browser to a filename on the local machine. If the file part of the url contains the percent (%) character, constituting a malformed URL, an error is returned and the client is disconnected. An entry to the nimda filter log is made logging the clients IP address, time of attack and the malformed part of the URL.


Download demo project - 23 Kb
Download source - 140 Kb


  • Conversion

    Posted by Bizzo on 09/24/2007 09:13am

    Can you covert to If so do it for me to understand the code

  • consult code

    Posted by Legacy on 07/12/2002 12:00am

    Originally posted by: gustavo

    Dear Paul Kimmel:

    Do you know where i can find code in visual basic about antivirus for melissa?

    Thanks you.


  • Awesome!

    Posted by Legacy on 05/27/2002 12:00am

    Originally posted by: engineerdude

    Just wanted to give props to the author of this program. It worked perfectly (so far so good) removing the Nimba virus. I really thought I was going to have to wipe the hard disk to get rid of the infection, but this seems to have taken care of the problem.

    Mucho gracias!

Leave a Comment
  • Your email address will not be published. All fields are required.

Top White Papers and Webcasts

  • Moving from an on-premises environment to Office 365 does not remove the need to plan for disruptions or reduce the business risk requirements for protecting email services. If anything, some risks increase with a move to the cloud. Read how to ease the transition every business faces if considering or already migrating to cloud email. This white paper discusses: Setting expectations when migrating to Office 365 Understanding the implications of relying solely on Exchange Online security Necessary archiving …

  • Enterprises are increasingly looking to platform as a service (PaaS) to lower their costs and speed their time to market for new applications. Developing, deploying, and managing applications in the cloud eliminates the time and expense of managing a physical infrastructure to support them. PaaS offerings must deliver additional long-term benefits, such as a lower total cost of ownership (TCO), rapid scalability, and ease of integration, all while providing robust security and availability. This report …

Most Popular Programming Stories

More for Developers

RSS Feeds

Thanks for your registration, follow us on our social networks to keep up-to-date