Q

Rich20.dll files left behind by Nimda

Does the Riched20.dll(56KB) file that is created by the Nimda virus and placed in all the folders that contain the word docs need to be deleted? I thought that if one opened a Word doc in one of those folders, it would then activate the worm again, through this dll. I found over 800 instances of this dll created on the shared network drive at work, yet the antivirus programs do not delete them.


The Rich20.dll file contains the library code for the Microsoft Rich controls used by the Nimda virus. Current RichXX file names are associated with the following versions:
Version 1.0 = Riched32.dll
Version 2.0 = Riched20.dll
Version 3.0 = Riched20.dll

The following list describes which versions of Rich Edit are included in which releases Microsoft? Windows?:
Windows XP = Includes Rich Edit 3.0 with a Rich Edit 1.0 emulator.
Windows Me = Includes Rich Edit 1.0 and 3.0.
Windows 2000 = Includes Rich Edit 3.0 with a Rich Edit 1.0 emulator.
Windows NT 4.0 = Includes Rich Edit 1.0 and 2.0.
Windows 98 = Includes Rich Edit 1.0 and 2.0.
Windows 95 = Includes only Rich Edit 1.0. However, Riched20.dll is compatible with Windows 95 and may be installed by an application that requires it.

Antivirus software will not delete or remove files unless they contain malicious code, thus the Rich20.dll files will not be removed. If the virus is still present in the directory, then YES the virus will start all over. IF the virus has been cleaned from RAM (system memory) and the hard drive/files are clean, NO the Rich20.dll file will do no damage.

Of course, proper administrative duties would include the removal of the Rich20.dll files since the antivirus program will not delete them.


This was first published in October 2001

Dig deeper on Malware, Viruses, Trojans and Spyware

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close