W32/Niklas-O

Please follow the instructions for removing worms.

Check to see if your anti-virus software restarts. If it does not, uninstall and then reinstall it.

Check your administrator passwords and review network security.

Windows NT/2000/XP/2003

In Windows NT/2000/XP/2003 you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\
Run\ "MELIS" = "<copy of worm>"

and delete it if it exists.

Close the registry editor.

W32/Niklas-O is a Peer-to-Peer (P2P) worm which attempts to spread through P2P file sharing networks.

Upon execution the worm may drop itself into the Windows folder as NIKLAUS.EXE or MELIS.EXE and may set the following registry entry so that it is run on startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\
Run\ "MELIS" = "<copy of worm>"

W32/Niklas-O may also attempt to create the folder C:\<Windows>\TEMP\BINARY32 and copy itself into any shared folders.

W32/Niklas-O may attempt to enumerate and terminate processes related to a large number of different anti-virus products and personal firewalls.

The worm may also check several registry values used to launch various Anti-Virus programs during the Windows startup process and attempt to remove them.