Aliases
Affected Operating Systems
Recovery Instructions:
Please follow the instructions for removing worms.
Renaming the registry editor
- Using Windows explorer, browse to the Windows folder (usually C:\Windows or C:\Winnt) right-click Regedit.exe and make a copy of it.
- Rename the copy of Regedit.exe to Regedit.com.
- At the taskbar, click Start|Run. Type 'Regedit.com' and press Return. The registry editor opens.
Editing the registry
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entries:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"" = \"%1\" %*
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Windows Taskbar Manager = C:\<Windows system>\internat.exe
and delete them if they exist.
Locate the HKEY_CLASSES_ROOT entry:
Typically an unaltered registry entry will be set to
HKCR\exefile\shell\open\command\(default) = "%1" %*
the altered registry entry will be
HKCR\exefile\shell\open\command\(default) = <path to worm> "%1" %*
delete only the path to the worm. Do not delete anything else.
Close the registry editor.
Checking other computers on the network
Copies of the worm may have been dropped on open shares on other computers in your network.
- Run a scan on other computers to check them. Do not reboot first.
- Review network security.
- If worm files have been dropped on Windows 95/98/Me computers, disable sharing of the C: drive. Right-click the C: drive in Windows Explorer, select Sharing, then unshare the C: drive. Shares created on individual folders other than the Windows folder are not a security risk. If you must share the C: drive of a Windows 95/98/Me computer attached to the Internet, consider installing a firewall.