Security Incidents mailing list archives

Want to write a disinfection tool?

From: aleph1 () securityfocus com
Date: Sun, 5 Aug 2001 19:11:00 -0600

Anyone on the list that is a VBScript programmer that wants to write
a disinfection tool for Code Red II?

The scripts would need to:

1. Download Microsoft's patch for the index server vulnerability and
   verify its MD5 hash.

2. If the system is not running at SP2 and does not have applied the
   patch associated with MS00-052, download the patch associated with 
   that advisory and verify its MD5 hash.

3. Ask the user to disconnect the machine from the Internet and wait
   for him to do so.

4. Shutdown IIS. The main worm code will no longer be memory resident.

5. If either of the backdoor files C:\inetpub\scripts\root.exe or
   D:\inetpub\scripts\root.exe exist delete them.

5. If either of the trojan files C:\explorer.exe or D:\explorer.exe exist
   delete them.

5. If the system is not running at SP2 and does not have applied the
   patch associated with MS00-052 install the patch associated with
   that advisory.

6. Restart the system. The explorer.exe trojan will no longer be
   memory resident, if it ever was.

7. Reset the following registry keys to either their default value or by
   prompting the user:
   SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable
   SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\Scripts
   SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\msadc

8. Delete the following registry keys:
   SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\c
   SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\d

9. Apply the patch for the index server vulnerability.

8. Restart the system.

9. Ask the user to reconnect the system to the network.


-- 
Elias Levy
SecurityFocus.com
http://www.securityfocus.com/
Si vis pacem, para bellum

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Want to write a disinfection tool? aleph1 (Aug 05)
- Re: Want to write a disinfection tool? L. Christopher Paul (Aug 05)
  - Re: Want to write a disinfection tool? aleph1 (Aug 05)