REMHYB.BAT Version 1.0 This batch program is a modified version of REMMTX which was developed as a aid in the removal of MTX. Similarly, REMHYB is designed to act as a removal tool for infections of the Hybris internet worm. REMHYB must be used in true DOS without Windows running in the background. Windows ME users must use their Emergency Boot Disk (EBD). Win 9X users should also boot from their System disk since CD ROM support may be required for the extraction of the WSOCK32.DLL file. If it is known that this file is in a CAB archive elsewhere then Win 9X users may boot to command line mode by pressing the F8 key during the bootup process. If booting from floppy disk then at the A:> prompt type: C: CD FSI REMHYB REMHYB employs WIN-EDIT.EXE, a DOS program written earlier for basic repairs of Hybris infections such as the Hybris.b variant which places a large spiral image on the monitor screen. WIN-EDIT is invoked first. It begins with a search for any and all files in the System directory which have eight character name fields followed by the .EXE extension. It presents these names on screen and the user has the option of highlighting and deleting any suspicious looking files that appear to have random characters in their name field, such as ASDFGHJK.EXE Next, the users WIN.INI file is examined. If a suspicious file name as described above is found in the line starting with load= that line of text is presented on screen to the user who can decide to have the program remove that particular text or leave it. If the user chooses to remove it, the file by the same name is also removed from the System folder. The unmodified WIN.INI file is backed up as WIN.000 When WIN-EDIT exits, the user will be presented with a option to rename the existing WSOCK32.DLL file. This must be done before extraction of a fresh WSOCK32.DLL from a CAB file. The user should insert the Windows Setup CD into the drive in case the desired CAB file is only located there. In certain Win 95 cases the source media may be floppy diskette. Finally, the user can choose to scan/disinfect using F-PROT. This is highly recommended. When F-PROT is finshed the user is presented with a option to view the HYBRIS.TXT report that resulted from the scan. Replying y(es) will invoke the DOS Editor. Use the up/down arrow keys to manipulate. When finished viewing, press the Alt key. Then press the down arrow to Exit. Press Enter. ------------------------------------------------------------------- File list: REMHYB.BAT WIN-EDIT.EXE FINDCD.BAT FINDCD.COM README.TXT ------------------------------------------------------------------- My thanks to Robert Green who kindly gave me permission to modify and use his REMMTX batch program for this purpose. Arthur R. Kopp 3/12/01 artnpeg@mindspring.com -------------------------------------------------------------------