SWFLCSS ------- Version 1.05, September 2001 Copyright (c) 2001, Sophos Plc. www.sophos.com 1. Introduction 2. Disconnecting from the network 3. You will need 4. Making the SWFLCSS floppy disk 5. Applying the Servicepack 6. Running SWFLCSS on a lightly infected computer 7. Running SWFLCSS on a heavily infected computer 8. After running SWFLCSS 9. Additional SWFLCSS options 10. For further assistance 1. Introduction --------------- SWFLCSS is a utility for disinfecting the W32/FLCSS virus. This virus infects most 32-bit Windows platforms (Windows 95, 98, Me, NT, 2000, XP). It can spread by copying itself across networks and by sending out infected emails. For details see: http://www.sophos.com/virusinfo/analyses/w32flcss.html The tool these notes refer to can be found at http://www.sophos.com/tools/flcssfx.exe If you have Windows 95/98/Me computers or Windows NT/2000/XP computers with FAT partitions you should disinfect them with DOS SWEEP using the instructions linked to from the SWFLCSS web page. If necessary, you can use SWFLCSS, but you must clean boot before running. Follow the instructions below. Read through these notes before starting to disinfect your computer(s). 2. Disconnecting from the network --------------------------------- You should disconnect any infected computers from the network before proceeding. This will prevent the virus from spreading any further while you are getting ready to clean infected computers. Logging off is not sufficient. 3. You will need ---------------- * Windows NT. You must have Servicepack 6a for Windows NT. * Windows 2000. You must have Servicepack 1 for Windows 2000 clients. * The Sophos SWFLCSS utility. You may need an NTFS DOS driver for heavily infected computers. 4. Making the SWFLCSS floppy disk --------------------------------- On an uninfected computer, copy FLCSSFX.EXE from the \tools\utils directory on the Sophos CD or download it from http://www.sophos.com/tools/flcssfx.exe. Run FLCSSFX.EXE to extract SWFLCSS.EXE and these notes. They will extract to the directory C:\Sophtemp under Windows (the current directory under DOS). Copy SWFLCSS.EXE onto the floppy disk. Write-protect the floppy disk. 5. Applying the Servicepack --------------------------- a) Applying the service pack Using Explorer, open \WINNT\SYSTEM32. Locate FLCSS.EXE and rename it to FLCSS.EX_ Create a directory called FLCSS.EXE in \WINNT\SYSTEM32. Leave this directory empty. Reboot your computer. Apply the relevant Servicepack (6a in the case of Windows NT, 1 in the case of Windows 2000). 6. Running SWFLCSS on a lightly infected computer ------------------------------------------------- Before running SWFLCSS, it is vital that you ensure that the W32/FLCSS virus is not resident in memory. With certain precautions it may be possible to disinfect at a command prompt. If not, you will have to reboot with an NTFS DOS driver. a) Shutting everything possible down On a lightly infected computer running Windows NT or Windows 2000, where no significant services have become infected, it may be possible to run SWFLCSS from a command prompt. Double-click on FLCSSFX.EXE to install it into Sophtemp. Shut down all programs. Then go to Start|Settings|Control Panel and double-click Services. Stop as many services as possible using the Stop button. Close and shut down the Control Panel. Press the Control, Alt and Del keys at the same time. Click on Task Manager, then select the Processes tabbed page. Select a process and click on End Process. It may or may not end. Repeat this for other processes (including the Windows Desktop). b) Running SWFLCSS When you have closed all possible programs in Task Manager go to File|New Task (Run) and type Command. Close down the Task Manager screen. At the command prompt type CD SOPHTEMP SWFLCSS C: Repeat this process for other hard drives, e.g. SWFLCSS D:. SWFLCSS cannot guarantee to disinfect all files. In such cases you will see the message Disinfection unsuccessful You must delete all files where disinfection did not succeed. These files can be restored from a clean backup or the original CD. c) Checking this has worked When disinfection has finished type Explorer to restart the Windows Desktop and run an All files scan in Sophos Anti-Virus to check that the virus has gone. If the virus has gone, go to section 8 'After running SWFLCSS'. If the virus has not gone, you will have to clean boot with a NTFS DOS driver. 7. Running SWFLCSS on a heavily infected computer ------------------------------------------------- a) Rebooting with an NTFS DOS driver To clean boot computers with NTFS partitions you will need a NTFS DOS driver, that can both read and write to NTFS partitions. Sophos has tested version 3.03 of Winternals NTFSDOS Pro NTFS DOS driver and it is known to work satisfactorily with SWFLCSS. NTFSDOS Pro can be purchased from Winternals. Version 3.03 is packaged in with the current version (3.12). You can either download the two versions from http://www.winternals.com or contact Winternals Technical Support by email at support@winternals.com or telephone at +1 (512) 330-9861. Prepare a NTFS DOS boot disk using NTFSDOS Pro or similar tool. Reboot the computer using your NTFS aware boot disk. N.B.: If using SWFLCSS on Windows 95/98 computers, restart the computer in DOS (16-bit) mode (not a 'DOS box'). On Windows Me computers or Windows NT/2000 computers with FAT partitions, reboot from a clean boot disk. b) Deleting FLCSS.EXE After having restarted the infected computer, browse to the \WINNT\SYSTEM32 directory and delete the file FLCSS.EXE (if it is present). c) Running SWFLCSS On the infected computer, insert the floppy disk containing the SWFLCSS utility and copy the SWFLCSS.EXE file into a temporary directory on the local hard disk. In the following example drive D: is used. D: CD \ MD SOPHTEMP CD SOPHTEMP COPY A:\SWFLCSS.EXE D:\SOPHTEMP SWFLCSS D: The command above runs SWFLCSS, which scans all of the directories on drive D and identifies and disinfects all infected files. Repeat this process for all other hard drives, e.g. SWFLCSS E: It is important to remember that infected files are not always restored to their original state. Note: W32/FLCSS when it infects a file is committing an unauthorised, illegal act and may damage the file. Such damage cannot be reversed automatically without a copy of the original file. SWFLCSS cannot guarantee to disinfect all files. In such cases you will see the message Disinfection unsuccessful You must delete all files where disinfection did not succeed. These files can be restored from a clean backup or the original CD. 8. After running SWFLCSS ------------------------ After the disinfection process described above you must restart the computer in Windows and do the following: a) Uninstall the FLC service, if present You can do this using the utility SWSERV which can be found in the SWDEPSFX.EXE self-extracting archive in the \tools\utils\ directory on the Sophos CD. Use the command: SWSERV -DELETE FLC b) Run another scan of the computer under Windows This is necessary to ensure that directories that cannot be recognised under DOS (whose names contain illegal characters such as "!" and "?") are scanned. c) Re-application of the Service Pack. It is recommended that you re-apply the relevant Service Pack so as to be sure that certain system files which might have been modified by the virus (without necessarily having been infected) are replaced. d) Activate InterCheck protection Restart the InterCheck client to restore on-access protection. 9. Additional SWFLCSS options ----------------------------- If you do not want SWFLCSS to request confirmation before attempting to disinfect each file, add the -NOC (for "no confirmation") option when you run the program SWFLCSS -NOC D: If you want to produce a report recording the actions taken by SWFLCSS, add -LF=filename to write a log file SWFLCSS -LF=SAV.LOG D: If you want more detailed information in the disinfection log add the -V (verbose) qualifier when executing the program SWFLCSS -LF=SAV.LOG -V D: If you do not want more detailed information in the disinfection log add the -NV (not verbose) qualifier when executing the program. (This is the default option). If you want a temporary backup of the infected files while they are being disinfected add the -T (Temporary) qualifier when executing the program SWFLCSS -T D: If you do not want a temporary backup of the infected files while they are being disinfected add the -NT (no temporary) qualifier when executing the program. (This is the default option). Note: the log files may become very large, particularly on servers containing thousands of files. 10. For further assistance -------------------------- For further assistance, please contact Sophos technical support (support@sophos.com). 7 April 2003 ----------------