Anti-Nimda Virus Scanner and Cleaner with IIS Invulnerability Filter

Environment: VC6, 95/98/NT/2000

PROJECT 1: Nimda Virus Scanner & Cleaner

Pardon the lack of special features in this program. I shotgun coded it overnight when the nimda virus went wild and the big-shot virus scanners didnt have any (clean enabled) virus definitions. I find it still works better than McAfee, F-prot and Norton AV at cleaning the nimda virus.

PROJECT 2: IIS Vulnerability Filter Patch

The second project in the workspace is an Internet Information Server (IIS) Filter that patches the invulnerability in IIS that lets the nimda virus run wild. For a reason I cant figure out the patch recommended by microsoft did not patch the invulnerability and our servers continued to get infected. This filter DLL once installed returns an ‘Internal Server Error’ to anyone attempting to take advantage of the vulnerability. To install double-click on the nimda-filter.req file. This sets the registry key:

   ‘HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Filter DLLs’



Set this key value manually if you have installed your IIS server in a different directory than specified above.


If you are using anti-nimda to clean an infected computer follow these instructions:

  • 1. Run Anti-Nimba on all drives (specify, ‘C:’, ‘D:’, etc.)
  • 2. Reboot the computer.
  • 3. Repeat steps 1-2 above until no more files are detected.
  • 4. Delete the following text from the Shell= entry in system.ini: load.exe -dontrunold
  • 5. Remove unnecessary shares. (check all local drives under ‘My Computer’)
  • 6. Delete the guest account from the Administrators group (if applicable – NT or Win2000)


In the great name of GNU you are free to run the program and use the source code as you wish. All I ask is that my name remains in the about box and you forward any changes to me; I would like to keep an updated copy for all. The source code is written in a way that could be adpated to other virus definitions, Here is a short description of the C++ classes:


  • VirusCleaner.h
  • VirusCleaner.cpp

    The workhorse of the virus scanner. Given a starting root directory it creates a thread that recurses through all directories and scans files for virus signatures. When a signature is found within a file that could possibly be infected this class passes the file onto the custom virus killer class that deals with it (scan, clean or delete). This class also holds the scan statistics of the scan.


  • VirusCleaner.h
  • VirusCleaner.cpp

    This class is (basically) an abstract class that defines the interface for a virus killer. A virus killer holds the virus definition (name, signature, etc) and has the code to handle an infected file, (in-depth scan, clean or delete). Creating a new virus killer would entail subclassing this class and providing the virus name, associated extensions (or all), signature (if any), and a ‘virtual SCANRESULT Clean()’ method to handle an infected file. The Clean() function should return whether it only scanned, cleaned or deleted the file.

w32_nimda_a, w32_nimda_b, w32_nimda_c

  • w32_nimda.h
  • w32_nimda.cpp

    These three files make up the total definition for the nimbda virus. Version ‘a’ cleans ‘exe’ and ‘dll’ files, version ‘b’ cleans ‘htm’, ‘html’, and ‘asp’ files, and finally version ‘c’ simply deletes all ‘*.eml’ and ‘*.nws’ files.


  • NimbdaDlg.h
  • NimbdaDlg.cpp

    Dialog (visual interface) for the anti-nimda virus killer. Starts the CVirusKiller thread and creates a windows timer to update statistics from the CVirusKiller object. Very simple interface.


  • ServiceThread.h
  • ServiceThread.cpp

    impliments threading for general servicing type threads. A class I generally use when creating worker threads. All that is needed is to override ‘virtual void run()’ and the Start(), Stop() Pause() and Continue() are already implimented.


  • Property.h
  • Property.cpp

    Used in CServiceThread as a way for a worker thread to recieve input/start parameters.


  • NimdaFilter.h
  • NimdaFilter.cpp

    Contains the IIS filter for nimda filter. The most relevant code (i.e. not produced by the ISAPI Extension Wizard) is contained in ‘CNimdaFilter::OnUrlMap’. This method is called when IIS is mapping a URL passed by a browser to a filename on the local machine. If the file part of the url contains the percent (%) character, constituting a malformed URL, an error is returned and the client is disconnected. An entry to the nimda filter log is made logging the clients IP address, time of attack and the malformed part of the URL.


Download demo project – 23 Kb

Download source – 140 Kb

More by Author

Must Read