List of known worms
avast! Virus Cleaner is currently (in version 1.0.211) able to identify and remove the following worm families:
* Win32:Badtrans [Wrm]
* Win32:Beagle [Wrm] (aka Bagle), variants A-Z, AA-AH
* Win32:Blaster [Wrm] (aka Lovsan), variants A-I
* Win32:BugBear [Wrm], including B-I variants
* Win32:Ganda [Wrm]
* Win32:Klez [Wrm], all variants (including variants of Win32:Elkern)
* Win32:MiMail [Wrm], variants A, C, E, I-N, Q, S-V
* Win32:Mydoom [Wrm] (variants A, B, D, F-N - including the trojan horse)
* Win32:Nachi [Wrm] (aka Welchia, variants A-L)
* Win32:NetSky [Wrm] (aka Moodown, variants A-Z, AA-AD)
* Win32:Nimda [Wrm]
* Win32:Opas [Wrm] (aka Opasoft, Opaserv)
* Win32:Parite (aka Pinfi), variants A-C
* Win32:Sasser [Wrm] (variants A-G)
* Win32:Scold [Wrm]
* Win32:Sinowal [Trj] - variants AA, AB
* Win32:Sircam [Wrm]
* Win32:Sober [Wrm], variants A-I, J-K
* Win32:Sobig [Wrm], including variants B-F
* Win32:Swen [Wrm], including UPX-packed variants
* Win32:Yaha [Wrm] (aka Lentin), all variants
* Win32:Zafi [Wrm] (variants A-D)
Disinfection process in detail
By default, avast! Virus Cleaner does all the work automatically. When you start it and press the "Start scanning" button, the following will be done:
1. The operating system memory will be scanned, and if any known worm is found, the worm process is terminated - thus avoiding further spreading. If it is not possible to terminate the worm process (it could happen e.g. with Nimda worm that uses a fake library to run inside other processes), the worm will be deactivated in memory to stop its spreading.
2. Your local hard disks will be scanned.
3. The "startup items" (such as the system registry, Startup Folder(s), etc.) will be scanned. References to worms found in memory or on disk will be removed or fixed.
4. Infected files, identified in point 2, will be removed or fixed (as needed).
5. Additional working/temporary files created by the identified worms will be removed.
6. If restarting the computer is needed to finish the disinfection process (e.g. when a file could not be removed because it was currently in use, or if the deactivated worm process is still present), the user is notified and asked whether the restart should be done immediately