Eml and HTML:Nimbda Virus cleanup using shell

I encountered a system at office which was running Linux + wine and got infected by eml + HTML:Nimbda virsues due to copying and running an infect game from a windows host.

First let me explain how it works. You system will have .eml files almost everywhere within a directory where there is a html type file and this eml file will send spam emails (if you hosts, on which these files are located, supports sending emails). By itself these eml files are no harm as they can’t do anything. Problem comes in the second part. Here all you html type files are appended with lines of html + js code which opens those readme.eml files in another browser windows if those html files are opened in a browser, so i hope you get the idea.

Here is how i got rid of them:
updatedb && locate "*.eml" | while IFS= read -r line; do echo "FOUND: $line" && rm -vf "$line" ; done
find / -name '*htm*' -type f -print0 | xargs -0 perl -ni -e 'print unless /readme.eml/'

First line updates the search database, locates and eml files and delete them securely e.g. it compensates for spaces in the path or etc. Second line finds all html type (or htm type) files, parses them using perl for lines which contain “readme.eml” and deletes those lines altogether. With that virus was removed from his system but as a cautious person, i installed clamav on his system and setup the following command in cron:

freshclam; clamscan -rv --detect-pua=yes --max-dir-recursion=50 --exclude=/dev --exclude=/proc --exclude=/sys --log=/var/log/clamav/$(date +%b%d%Y%H%M%S).log -i /

This command checks updates the virus database of clamav and makes it to scan all files an directory except /dev, /proc and /sys (you can exclude more dirs but i was lazy) upto the directory depth of 50 and detect any virus and/or potentially unwanted applications and save everything to the log file. Hope this helps.

Tags: , , , , , , , , , , , , ,

Leave a Comment