Instructions for disinfecting W32/Apology-B
Sophos Anti-Virus has found the W32/Apology-B virus on my computer. What should I do?
If the file concerned is an email attachment which you have not run, then delete the email. The virus analysis includes a list of file names used by the virus.
Run a scan using Sophos Anti-Virus to ensure that the virus has not spread.
If the virus has spread, you will need to use the SWAPOL disinfector.
Getting SWAPOL
SWAPOL is a utility for disinfecting the W32/Apology family of viruses.
If you do not have the Sophos Anti-Virus CD you will need to download:
- The SWAPOL self-extractor and save it into the C:\ (root) directory.
- The Emergency SAV Distribution (DOS) self-extractor and save it into the C:\ (root) directory.
The method of removal differs for Windows 95/98/Me and Windows NT/Windows 2000.
Removing W32/Apology-B under Windows 95/98/Me
Using the self-extractor files
You can use the self-extractor files safely in Windows, but for maximum
security you should extract them into the C:\SOPHTEMP directory in 16-bit (DOS)
mode.
At the Windows Desktop, double-click on My Computer, then
double-click on C:. You should see the APOLSFX.EXE and ESDZ.EXE programs in the
C:\ folder.
Double-click on APOLSFX.EXE then double-click on ESDZ.EXE to extract them into the C:\SOPHTEMP directory.
You now need to restart in 16-bit (DOS) mode.
It is best to boot your computer with a clean-boot disk that can see your CD drive. If you are using Windows Me you will have to clean-boot from a startup disk, or from your system CD.
Under Windows 95/98, if you do not have a clean boot disk available, go to the Windows 95/98 'Shut Down...' menu (via the 'Start' button on the task bar) and select the option 'Restart the computer in MS-DOS mode'.
Note: You must restart the computer in MS-DOS mode, opening an MS-DOS Prompt window (a 'DOS Box') is not good enough.
The computer will restart at the command prompt.
Go to the C:\SOPHTEMP directory
You can now use SWAPOL from the command prompt.
Copying files from the Sophos Anti-Virus CD
Restart your computer in 16-bit (DOS) mode.
It is best to boot your computer with a clean-boot disk that can see your CD drive.
If you do not have a clean boot disk available, go to the Windows 95/98 'Shut Down...' menu (via the 'Start' button on the task bar) and select the option 'Restart the computer in MS-DOS mode'.
Note: You must restart the computer in MS-DOS mode, opening an MS-DOS Prompt window (a 'DOS Box') is not good enough.
The computer will restart at the command prompt.
Check that your computer can access its CD drive in 16-bit mode (some versions of Windows 95 cannot). If it can't, return to Windows and create the folder and copy the files there. This is less secure, but should be adequate.
Create a working directory at the command prompt
MD C:\SOPHTEMP
CD C:\SOPHTEMP
and copy SWEEP.EXE, VDL.DAT and DOS4GW.EXE from the \DOS directory and APOLSFX.EXE from the \TOOLS\UTILS directory into this C:\SOPHTEMP directory
COPY D:\DOS\DOS4GW.EXE
COPY D:\DOS\VDL.DAT
COPY D:\TOOLS\UTILS\APOLSFX.EXE
APOLSFX.EXE
where D: is your CD drive. You can now use SWAPOL from the command prompt.
Using SWAPOL from the command prompt
From the DOS prompt, run SWEEP.EXE to create a report file for SWAPOL.
Use the command
SWEEP *: -ALL -F -LANG=ENG -P=C:\SOPHTEMP\INFECTED.REP
SWEEP.EXE will write its report into the file INFECTED.REP in the C:\SOPHTEMP directory.
Using the report file
Now feed the report file into SWAPOL, with the command
SWAPOL will prompt for confirmation to disinfect each infected file in turn.
If you press 'Y' for 'Yes', then SWAPOL will attempt disinfection. You should see
That program is now clean, with the virus positively erased.
When you have finished running SWAPOL, re-run SWEEP.EXE from the command line to find any files which could not be disinfected.
If infected files remain, delete them and replace them with clean versions from the original media or a clean PC.
Removing W32/Apology-B under Windows NT/Windows 2000
W32/Apology-B is not a fast infector under Windows NT/Windows 2000 although infected client files and the backdoor component MTX_.EXE may be present.
To remove MTX_.EXE first shut it down: press the Ctrl, Alt and
Del keys at the same time, click on Task Manager, select the Processes
tab, highlight MTX_ and then click on End Process. This unlocks MTX_.EXE. Close
Task Manager.
Delete MTX_.EXE.
Infected Windows 95/98/Me clients should be disinfected in 16-bit mode using the instructions above. While your Windows 95/98/Me computers are not logged on to your server, and the infected files on your Windows NT/Windows 2000 server are unlocked, run SWAPOL on your server.
Running SWAPOL under Windows NT/Windows 2000
SWAPOL can be run in a Command Prompt window under Windows NT/Windows 2000.
Since SWEEP will only work on one hard drive at a time, each drive must be scanned separately.
From the command prompt, run SWEEP.EXE to create a report file for SWAPOL.
Where C: is your hard drive, use the command
SWEEP C: -ALL -F -LANG=ENG -P=C:\SOPHTEMP\INFECTC.REP
SWEEP.EXE will write its report into the file INFECTC.REP in the C:\SOPHTEMP directory.
For drive D: use the same command line replacing C: with D: and INFECTC with INFECTD. The report will be written to the INFECTD.REP file.
Using the report file
Now feed the report file into SWAPOL, with the command
SWAPOL will prompt for confirmation to disinfect each infected file in turn.
If you press 'Y' for 'Yes', then SWAPOL will attempt disinfection. You should see
That program is now clean, with the virus positively erased.
Repeat this process for the INFECTD.REP file, and the appropriate file for any other hard drive.
When you have finished running SWAPOL, for each hard drive in turn re-run SWEEP.EXE from the command line to find any files which could not be disinfected.
If infected files remain, delete them and replace them with clean versions from the original media or a clean PC.
More information
For more details on the disinfection process read READSWAP.TXT.
