RE: MS tool to disinfect Code Red II

["David LeBlanc" <dleblanc () microsoft com>]

There was a bug in the previous version because of the following IIS
behavior - when you put a virtual root mapping into the registry, IIS
will pick it up when it starts. If you then come along and take it out
from the registry, IIS will put back the virtual roots that it has in
it's metabase when it starts. This has one beneficial side-effect - if
you haven't removed /Scripts or /MSADC previously, IIS will overwrite
the worm's wide-open permissions with the permissions in the metabase,
but it does mean that you can't get rid of the mappings simply by
undoing the damage in the registry.

There will be a new version on the site shortly that removes
worm-generated mappings from the metabase.

Hopefully, this should not need to be repeated, but I'll repeat it
anyway. If your system got the worm and was internet-exposed, a full
rebuild is the only way to assure you're rid of both the worm and any
other attackers. If the system was internal, then you need to make a
risk-benefit trade-off yourself, and because some attackers are
internal, it is still best to rebuild. Because some people might have a
lot of systems to go clean up, the hope is that the tool will help in
the interim.

> -----Original Message-----
> From: aleph1 () securityfocus com [mailto:aleph1 () securityfocus com] 
> Sent: Tuesday, August 07, 2001 9:33 PM
> To: incidents () securityfocus com
> Subject: MS tool to disinfect Code Red II
>
>
> Over the past couple of days some folks at Microsoft have 
> been working on a tool to disinfect Code Red II systems. As 
> discussed on the list the appropriate solution to a Code Red 
> II infection is a full reinstall as the backdoor may have 
> been used to compromise the system further, but this tools 
> provides an alternative to those people not willing to go 
> through a reinstall.
>
> You can find the tool at: 
> http://www.microsoft.com/technet/itsolutions/s>
ecurity/tools/redfix.asp
> I'll reprint Microsoft's warning:
>
> * THE TOOL ONLY ELIMINATES THE EFFECTS OF THE CODE RED II 
> WORM. IT DOES 
>   NOT ELIMINATE THE EFFECT OF OTHER VARIANTS OF THE WORM.
>
> * IF THE WORM HAS INFECTED YOUR SYSTEM, YOUR SYSTEM HAS BEEN 
> OPENED TO 
>   ADDITIONAL FORMS OF ATTACK. THIS TOOL ONLY ELIMINATES THE 
> DIRECT EFFECTS 
>   OF THE WORM - IT DOES NOT ELIMINATE ANY ADDITIONAL DAMAGE 
> THAT OTHER 
>   ATTACKS MAY HAVE CAUSED WHILE YOUR SERVER WAS INFECTED.
>
> * WHILE THIS TOOL IS USEFUL IN ELIMINATING THE EFFECTS OF THE 
> CODE RED II 
>   WORM ON INTERNAL SERVERS THAT ARE PROTECTED FROM THE 
> INTERNET BY A ROUTER 
>   OR FIREWALL, MICROSOFT RECOMMENDS THAT INFECTED 
> INTERNET-FACING SERVERS 
>   BE REBUILT ACCORDING TO THE GUIDELINES PUBLISHED ON THE 
> CERT WEB SITE . 
>   IN ADDITION, ANY OTHER SERVERS THAT ARE JUDGED TO HAVE BEEN 
> PUT AT RISK 
>   BY THEIR PROXIMITY TO INFECTED SERVERS SHOULD ALSO BE 
> REBUILT RATHER THAN 
>   BEING PLACED BACK INTO SERVICE.
>
> -- 
> Elias Levy
> SecurityFocus.com
> http://www.securityfocus.com/
> Si vis pacem, para bellum
>
> --------------------------------------------------------------
> --------------
> This list is provided by the SecurityFocus ARIS analyzer 
> service. For more information on this free incident handling, 
> management 
> and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com