SWBRAID ------- Version 1.01, November 2002 Copyright (c) 2002 Sophos Plc. www.sophos.com 1. Introduction 2. Preparing to run SWBRAID 3. Running SWBRAID 4. Disinfecting the files infected with W32/FLCSS 5. Removing the worm files 6. After running SWBRAID a) System Restore on Windows Me b) Rebooting the computer c) Running a scan to check disinfection d) Restoring your Sophos Anti-Virus settings e) Replacing MSCONFIG.EXE f) Installing the security patch 7. For further assistance 1. Introduction --------------- SWBRAID is a utility designed to help disinfect computers infected with W32/Braid-A. It attempts to terminate any viral processes and reset registry keys that have been changed by the virus. W32/Braid-A is an internet worm which emails itself to every contact in the Microsoft Outlook address book. It drops W32/Flcss to the System folder as Bride.exe. Bride.exe is then launched whenever another executable is run. Further information about this worm is available from: http://www.sophos.com/virusinfo/analyses/w32braida.html The tool these notes refer to can be found at http://www.sophos.com/tools/brdsfx.exe The user need not double-click on the attachment to become infected as this virus exploits a security vulnerability in Microsoft Internet Explorer, Outlook and Outlook Express. To prevent reinfection, install the following patch available from Microsoft: http://www.microsoft.com/technet/security/bulletin/MS01-027.asp (This patch fixes a number of vulnerabilities in Microsoft's software, including the one exploited by this virus.) Read through these notes before starting to disinfect your computer(s). 2. Preparing to run SWBRAID --------------------------- Download BRDSFX.EXE from http://www.sophos.com/downloads/brdsfx.exe Run BRDSFX.EXE to extract SWBRAID.EXE, PSAPI.DLL and these notes. They will extract to the directory C:\SOPHTEMP under Windows. If you are in DOS make a SOPHTEMP directory and extract the files in there. It is recommended that you disconnect infected computers from the network before proceeding. This is not vital to the disinfection process, but it will stop the worm spreading further. 3. Running SWBRAID ------------------ Open a Command Prompt (on Windows NT/2000/XP) or an MS-DOS Prompt (on Windows 95/98/Me). Now run the SWBRAID utility. Type C: CD \SOPHTEMP SWBRAID SWBRAID should terminate all the viral processes and change the affected registry keys. If a message says that the viral processes have not all been terminated, or that SWBRAID.EXE cannot be found, contact Sophos technical support. 4. Disinfecting the files infected with W32/FLCSS ------------------------------------------------- Install Sophos Anti-Virus if necessary. Go to Start|Programs|Sophos Anti-Virus|Sophos Anti-Virus (on Windows NT/2000/XP) or Start|Programs|Sophos Anti-Virus|Sophos Anti-Virus SWEEP (on Windows 95/98/Me) to launch the Sophos Anti-Virus window. Click on the 'Immediate' tab then choose Options|Configuration|Action. Select 'Disinfect programs'. Click 'OK' to return to the main window. Check that your local hard drives are selected (look for the green light). Click 'GO' to start the scan. If prompted to disinfect a file infected with W32/FLCSS click 'Yes'. 5. Removing the worm files -------------------------- In the Sophos Anti-Virus window click on the 'Immediate' tab then choose Options|Configuration|Action. Select 'Infected files' then select 'Delete'. Click 'OK' to return to the main window. Check that your local hard drives are selected (look for the green light). Click 'GO' to start the scan. If prompted to delete a file infected with W32/Braid-A, make a note of the name of the file, then click 'Yes'. If any virus other than W32/Braid-A is detected, contact Sophos technical support for advice. 6. After running SWBRAID ------------------------ After running SWBRAID perform the following actions: a) System Restore on Windows Me Note: this will delete any previously created restore points. Go to Start|Settings|Control Panel. Double-click 'System', then click on the 'Performance' tab. Click 'File System' then click the 'Troubleshooting' tab. Select 'Disable System Restore' and click 'Apply'. Now deselect 'Disable System Restore' and click 'Apply'. Click 'Close' and click 'Close' again. Restart the computer. b) Rebooting the computer Shut down your computer and restart it. Double-click on the InterCheck monitor flash and check that its status is marked as 'Active'. c) Running a scan to check disinfection Now run anther scan to check that all copies of the virus have gone. Go to Start|Programs|Sophos Anti-Virus|Sophos Anti-Virus (on Windows NT/2000/XP) or Start|Programs|Sophos Anti-Virus|Sophos Anti-Virus SWEEP (on Windows 95/98/Me) to launch the Sophos Anti-Virus window. Click 'GO' to start the scan. If copies of the virus remain contact Sophos technical support. d) Restoring your Sophos Anti-Virus settings Go to Start|Programs|Sophos Anti-Virus|Sophos Anti-Virus (on Windows NT/2000/XP) or Start|Programs|Sophos Anti-Virus|Sophos Anti-Virus SWEEP (on Windows 95/98/Me) to launch the Sophos Anti-Virus window. Click on the 'Immediate' tab then choose Options|Configuration|Action. Deselect 'Delete', then deselect 'Infected files'. Click 'OK' to return to the main window. e) Replacing MSCONFIG.EXE W32/Braid-A replaces the Windows file MSCONFIG.EXE with a worm file. You will have to replace it. You can copy MSCONFIG.EXE from another Windows 98/Me computer or from a Windows CD. f) Installing the security patch This virus can exploit a security vulnerability in Microsoft Internet Explorer, Outlook and Outlook Express. To prevent reinfection, you should install the following patch available from Microsoft: http://www.microsoft.com/technet/security/bulletin/MS01-027.asp (This patch fixes a number of vulnerabilities in Microsoft's software, including the one exploited by this virus.) 7. For further assistance ------------------------- For further assistance, please contact Sophos technical support (support@sophos.com). 7 April 2003 ----------------