
ANTI-NIMBA Virus Killer
Sept 19th, 2001
																		Colin Mackenzie
																		http://www.colinmackenzie.net
																		email:guru@colinmackenzie.net



Pardon the lack of special features in this program. I shotgun coded it overnight when the nimda virus
went wild and the big-shot virus scanners didnt have any (clean enabled) virus definitions.

REMOVAL INSTRUCTIONS for Nimba:
	1. Run Anti-Nimba on all drives (specify, 'C:', 'D:', etc.)
	2. Reboot the computer.
	3. Repeat steps 1-2 above until no more files are detected.
	4. Delete the following text from the Shell= entry in system.ini: load.exe -dontrunold 
	5. Remove unnecessary shares. (check all local drives under 'My Computer')
	6. Delete the guest account from the Administrators group (if applicable - NT or Win2000)


SOURCE CODE:
I the great name of GNU you are free to run the program and use the source code as you wish. All I ask 
is that my name remains in the about box and you forward any changes to me; I would like to keep an 
updated copy for all.

Colin MacKenzie


The source code is written in a way that could be adpated to other virus definitions, Here is a short 
description of the C++ classes:

< CVirusCleaner >
	VirusCleaner.h
	VirusCleaner.cpp

	The workhorse of the virus scanner. Given a starting root directory it creates a thread that
	recurses through all directories and scans files for virus signatures. When a signature is 
	found within a file that could possibly be infected this class passes the file onto the custom 
	virus killer class that deals with it (scan, clean or delete).

	This class also holds the scan statistics of the scan.


< VirusKiller >
	VirusCleaner.h
	VirusCleaner.cpp

	This class is (basically) an abstract class that defines the interface for a virus killer. A virus
	killer holds the virus definition (name, signature, etc) and has the code to handle an infected
	file, (in-depth scan, clean or delete). Creating a new virus killer would entail subclassing this
	class and providing the virus name, associated extensions (or all), signature (if any), and a
	'virtual SCANRESULT Clean()' method to handle an infected file. The Clean() function should
	return whether it only scanned, cleaned or deleted the file.


< w32_nimda_a, w32_nimda_b, w32_nimda_c >
	w32_nimda.h
	w32_nimda.cpp

	These three files make up the total definition for the nimbda virus. Version 'a' cleans 'exe' and
	'dll' files, version 'b' cleans 'htm', 'html', and 'asp' files, and finally version 'c' simply 
	deletes	all '*.eml' and '*.nws' files.


< CNimdaDlg >
	NimbdaDlg.h
	NimbdaDlg.cpp

	Dialog (visual interface) for the anti-nimda virus killer. Starts the CVirusKiller thread and
	creates a windows timer to update statistics from the CVirusKiller object. Very simple interface.


< CServiceThread >
	ServiceThread.h
	ServiceThread.cpp

	impliments threading for general servicing type threads. A class I generally use when creating
	worker threads. All that is needed is to override 'virtual void run()' and the Start(), Stop()
	Pause() and Continue() are already implimented.


< CProperty.h >
	Property.h
	Property.cpp

	Used in CServiceThread as a way for a worker thread to recieve input/start parameters.

