***************************************************************************
		Utility for cleaning infection by:
			I-Worm.BleBla.b
			I-Worm.Navidad
			I-Worm.Sircam
			I-Worm.Goner
			I-Worm.Klez.a,e,f,g,h
			Win32.Elkern.c
			I-Worm.Lentin.a,b,c,d,e,f,g,h,i,j
			I-Worm.Tanatos
			Worm.Win32.Opasoft.a,b,c,d,e
			I-Worm.Avron.a,b,c
 Version 8.2.0 Copyright (C) Kaspersky Lab 2000-2002. All rights reserved.
***************************************************************************
Command line:
	/scanfiles - to force scaning of hard drives. Program will scan hard
		drive for I-Worm.Klez.a(e,f,g,h) infection in any case.
	/netscan - include scaning of mapped network drives.
	/y - end program without pressing any key.
	/i - show command line info.
	/mirc - if program find viruses with mIRC infection it will try to 
		find mirc32.exe path on local hard drive to delete/disinfect 
		mIRC scripts.
Return codes:
	0 - nothing to clean
	1 - virus was deleted and system restored
	2 - to finilize removal of virus you shold reboot system
	3 - to finilize removal of virus you shold reboot system and start 
		program the second time
	4 - programm error.
***************************************************************************

I-Worm.BleBla.b
---------------
	If program find HKEY_CLASSES_ROOT\rnjfile key in registry it:
delete registry keys
	HKEY_CLASSES_ROOT\rnjfile
	HKEY_CLASSES_ROOT\.lha
repair registry key to default value
	HKEY_CLASSES_ROOT\.jpg to jpegfile
	HKEY_CLASSES_ROOT\.jpeg to jpegfile
	HKEY_CLASSES_ROOT\.jpe to jpegfile
	HKEY_CLASSES_ROOT\.bmp to Paint.Picture
	HKEY_CLASSES_ROOT\.gif to giffile
	HKEY_CLASSES_ROOT\.avi to avifile
	HKEY_CLASSES_ROOT\.mpg to mpegfile
	HKEY_CLASSES_ROOT\.mpeg to mpegfile
	HKEY_CLASSES_ROOT\.mp2 to mpegfile
	HKEY_CLASSES_ROOT\.wmf to empty
	HKEY_CLASSES_ROOT\.wma to wmafile
	HKEY_CLASSES_ROOT\.wmv to wmvfile
	HKEY_CLASSES_ROOT\.mp3 to mp3file
	HKEY_CLASSES_ROOT\.vqf to empty
	HKEY_CLASSES_ROOT\.doc to word.document.8 or wordpad.document.1
	HKEY_CLASSES_ROOT\.xls to excel.sheet.8
	HKEY_CLASSES_ROOT\.zip to winzip
	HKEY_CLASSES_ROOT\.rar to winrar
	HKEY_CLASSES_ROOT\.arj to archivefile or winzip
	HKEY_CLASSES_ROOT\.reg to regfile
	HKEY_CLASSES_ROOT\.exe to exefile
try to delete file
	c:\windows\sysrnj.exe

I-Worm.Navidad
--------------
	If program find HKEY_CURRENT_USER\Software\Navidad,
HKEY_CURRENT_USER\Software\xxxxmas or HKEY_CURRENT_USER\Software\Emanuel key 
in registry it:
delete registry keys
	HKEY_CURRENT_USER\Software\Navidad
	HKEY_CURRENT_USER\Software\xxxxmas
	HKEY_CURRENT_USER\Software\Emanuel
	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
			Win32BaseServiceMOD
repair registry key to default value
	HKEY_CLASSES_ROOT\exefile\shell\open\command to "%1" %*
try to delete file
	winsvrc.vxd
	winfile.vxd
	wintask.exe

I-Worm.Sircam
-------------
	If program find HKEY_LOCAL_MACHINE\Software\SirCam key in registry,
"@win \recycled\sirc32.exe" in autoexec.bat or \windows\run32.exe and 
\windows\rundll32.exe was created on Delphi it:
delete registry keys
	HKEY_LOCAL_MACHINE\Software\SirCam
	Software\Microsoft\Windows\CurrentVersion\RunServices
			Driver32
repair registry key to default value
	HKEY_CLASSES_ROOT\exefile\shell\open\command to "%1" %*
try to delete file
	%Windows drive%:\RECYCLED\SirC32.exe
	%Windows directory%\ScMx32.exe
	%Windows system directory%\SCam32.exe
	%Windows startup directory%\"Microsoft Internet Office.exe"
	%Windows drive%:\windows\rundll32.exe
try to rename files
	%Windows drive%:\windows\Run32.exe to 
			%Windows drive%:\windows\RunDll32.exe
try to repair files
	autoexec.bat

	In case program can not delete or rename any files (it may be used at 
that moment) it set these files to queue to delete or rename during bootup 
process and offer user to reboot system.

I-Worm.Goner
------------
	If gone.scr process exist in memory, program will try to stop it.
	if file %Windows system directory%\gone.scr exist on hard drive, 
program will try to delete it.
	If program find %Windows system directory%\gone.scr key in 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run of system 
registry, it will delete this key.

I-Worm.Klez.a,e-h, Win32.Elkern.c, I-Worm.Lentin.a-j, I-Worm.Tanatos, 
---------------------------------------------------------------------
Worm.Win32.Opasoft.a-e, I-Worm.Avron.a-c
----------------------------------------
	If program find next processes in memory:
		Krn132.exe
		WQK.exe
		or any processes, infected by these viruses, it will stop them 
and delete their files from hard drive and links to their files from system 
registry.
	If program find that WQK.DLL library has been loaded by any processes 
it will rename file of this library and will remove it after system reboot.
In case program find such library in memory of your PC you should reboot your 
PC when program finish and start it the second time after reboot to clean your 
system registry.
	If program find any infected processes in memory it will start scan of 
your hard drive (and all mapped network drives if you specify /netscan in 
command line). It will check only infection by these viruses.
	If you specify /scanfiles key in command line program will scan your 
hard drive (and all mapped network drives if you specify /netscan) in all cases.
	If utility find file with .EML extension during scaning it will try to 
unpack files from it and check them.
	If Win32.Elkern.c virus create memory mapping, program will disinfect 
this memory area.
	If any files infected by I-Worm.Avron virus and command line key /mirc 
has been specifyed program will try to find mirc32.exe file and delete script 
files infected by I-Worm.Avron virus.
try to repair files
	autoexec.bat
		I-Worm.Avron
			win %virus file path and name%
	win.ini section [Windows]
		I-Worm.Lentin.g,e 
			run=MSTASKMON.EXE
		I-Worm.Lentin.c,d,f
			run=mstaskee.exe
		Worm.Win32.Opasoft.a,b,c,d,e
			run=scrsvr.exe
delete registry keys
	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
		I-Worm.Tanatos
			Link to virus file.
	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
		I-Worm.Lentin.h,i,j
			Link to virus file.
