Tool for cleaning up the obvious effects of the Code Red II worm

["Microsoft Security Response Center" <secure () microsoft com>]

We wanted to let you know that we've posted on our web site a tool that
can be used to clean up the obvious effects of the Code Red II worm.
The tool performs the following operations:

- It removes the malicious files installed by the worm 
- It reboots the system to clear the hostile code from memory 
- It removes the mappings that the worm is currently known to install
(See the section titled "Cautions" below) 
- For systems where IIS was enabled, but not in use, it provides an
option to permanently disable IIS on the server. 

The tool and instructions for its use can be found at
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsol
utions/security/tools/redfix.asp.  Because of potential timing issues
caused by the way the worm operates, the tool should be run a second
time after the reboot 

We're sure that readers of Bugtraq will understand that the worm exposes
any system on which its active to other attacks that could result in an
unathorized person gaining complete control of the server.  Thus, the
tool should only be used to clean up systems where the risk of
additional damage can be determined to be low.  For systems where you
don't have confidence that the risk of additional damage is low, we
recommend wiping the system and reloading the software from distribution
media and the data from backups.  Our web page for the tool provides a
link to a CERT Coordination Center page with detailed guidance for such
a "wipe and reinstall" process.

Steve Lipner
Security Program Manager
Microsoft Security Response Center