MS tool to disinfect Code Red II

[aleph1 () securityfocus com]

Over the past couple of days some folks at Microsoft have been
working on a tool to disinfect Code Red II systems. As discussed
on the list the appropriate solution to a Code Red II infection is
a full reinstall as the backdoor may have been used to compromise
the system further, but this tools provides an alternative to those
people not willing to go through a reinstall.

You can find the tool at:
http://www.microsoft.com/technet/itsolutions/security/tools/redfix.asp

I'll reprint Microsoft's warning:

* THE TOOL ONLY ELIMINATES THE EFFECTS OF THE CODE RED II WORM. IT DOES 
  NOT ELIMINATE THE EFFECT OF OTHER VARIANTS OF THE WORM.

* IF THE WORM HAS INFECTED YOUR SYSTEM, YOUR SYSTEM HAS BEEN OPENED TO 
  ADDITIONAL FORMS OF ATTACK. THIS TOOL ONLY ELIMINATES THE DIRECT EFFECTS 
  OF THE WORM - IT DOES NOT ELIMINATE ANY ADDITIONAL DAMAGE THAT OTHER 
  ATTACKS MAY HAVE CAUSED WHILE YOUR SERVER WAS INFECTED.

* WHILE THIS TOOL IS USEFUL IN ELIMINATING THE EFFECTS OF THE CODE RED II 
  WORM ON INTERNAL SERVERS THAT ARE PROTECTED FROM THE INTERNET BY A ROUTER 
  OR FIREWALL, MICROSOFT RECOMMENDS THAT INFECTED INTERNET-FACING SERVERS 
  BE REBUILT ACCORDING TO THE GUIDELINES PUBLISHED ON THE CERT WEB SITE . 
  IN ADDITION, ANY OTHER SERVERS THAT ARE JUDGED TO HAVE BEEN PUT AT RISK 
  BY THEIR PROXIMITY TO INFECTED SERVERS SHOULD ALSO BE REBUILT RATHER THAN 
  BEING PLACED BACK INTO SERVICE.

-- 
Elias Levy
SecurityFocus.com
http://www.securityfocus.com/
Si vis pacem, para bellum

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com