Security Incidents mailing list archives
RE: MS tool to disinfect Code Red II
From: "David LeBlanc" <dleblanc () microsoft com>
Date: Wed, 8 Aug 2001 14:41:51 -0700
There was a bug in the previous version because of the following IIS behavior - when you put a virtual root mapping into the registry, IIS will pick it up when it starts. If you then come along and take it out from the registry, IIS will put back the virtual roots that it has in it's metabase when it starts. This has one beneficial side-effect - if you haven't removed /Scripts or /MSADC previously, IIS will overwrite the worm's wide-open permissions with the permissions in the metabase, but it does mean that you can't get rid of the mappings simply by undoing the damage in the registry. There will be a new version on the site shortly that removes worm-generated mappings from the metabase. Hopefully, this should not need to be repeated, but I'll repeat it anyway. If your system got the worm and was internet-exposed, a full rebuild is the only way to assure you're rid of both the worm and any other attackers. If the system was internal, then you need to make a risk-benefit trade-off yourself, and because some attackers are internal, it is still best to rebuild. Because some people might have a lot of systems to go clean up, the hope is that the tool will help in the interim.
-----Original Message----- From: aleph1 () securityfocus com [mailto:aleph1 () securityfocus com] Sent: Tuesday, August 07, 2001 9:33 PM To: incidents () securityfocus com Subject: MS tool to disinfect Code Red II Over the past couple of days some folks at Microsoft have been working on a tool to disinfect Code Red II systems. As discussed on the list the appropriate solution to a Code Red II infection is a full reinstall as the backdoor may have been used to compromise the system further, but this tools provides an alternative to those people not willing to go through a reinstall. You can find the tool at: http://www.microsoft.com/technet/itsolutions/s>
ecurity/tools/redfix.asp
I'll reprint Microsoft's warning: * THE TOOL ONLY ELIMINATES THE EFFECTS OF THE CODE RED II WORM. IT DOES NOT ELIMINATE THE EFFECT OF OTHER VARIANTS OF THE WORM. * IF THE WORM HAS INFECTED YOUR SYSTEM, YOUR SYSTEM HAS BEEN OPENED TO ADDITIONAL FORMS OF ATTACK. THIS TOOL ONLY ELIMINATES THE DIRECT EFFECTS OF THE WORM - IT DOES NOT ELIMINATE ANY ADDITIONAL DAMAGE THAT OTHER ATTACKS MAY HAVE CAUSED WHILE YOUR SERVER WAS INFECTED. * WHILE THIS TOOL IS USEFUL IN ELIMINATING THE EFFECTS OF THE CODE RED II WORM ON INTERNAL SERVERS THAT ARE PROTECTED FROM THE INTERNET BY A ROUTER OR FIREWALL, MICROSOFT RECOMMENDS THAT INFECTED INTERNET-FACING SERVERS BE REBUILT ACCORDING TO THE GUIDELINES PUBLISHED ON THE CERT WEB SITE . IN ADDITION, ANY OTHER SERVERS THAT ARE JUDGED TO HAVE BEEN PUT AT RISK BY THEIR PROXIMITY TO INFECTED SERVERS SHOULD ALSO BE REBUILT RATHER THAN BEING PLACED BACK INTO SERVICE. -- Elias Levy SecurityFocus.com http://www.securityfocus.com/ Si vis pacem, para bellum -------------------------------------------------------------- -------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- MS tool to disinfect Code Red II aleph1 (Aug 08)
- <Possible follow-ups>
- RE: MS tool to disinfect Code Red II David LeBlanc (Aug 09)