Tool for cleaning up the obvious effects of the Code Red II worm

• Previous message: Russ: "PWS and IIS and W2K Pro"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Message-ID:  <C10F7F33B880B248BCC47DB446738847034BB45C@red-msg-07.redmond.corp.microsoft.com>
Date:         Thu, 9 Aug 2001 22:20:39 -0700
From: Microsoft Security Response Center <secure@MICROSOFT.COM>
Subject:      Tool for cleaning up the obvious effects of the Code Red II worm
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

We wanted to let you know that we've posted on our web site a tool that
can be used to clean up the obvious effects of the Code Red II worm. The
tool performs the following operations:

- It removes the malicious files installed by the worm
- It reboots the system to clear the hostile code from memory
- It removes the mappings that the worm is currently known to install
(See the section titled "Cautions" below)
- For systems where IIS was enabled, but not in use, it provides an
option to permanently disable IIS on the server.

The tool and instructions for its use can be found at
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsol
utions/security/tools/redfix.asp. Because of potential timing issues
caused by the way the worm operates, the tool should be run a second
time after the reboot

We're sure that readers of NTBugtraq will understand that the worm
exposes any system on which its active to other attacks that could
result in an unathorized person gaining complete control of the server.
Thus, the tool should only be used to clean up systems where the risk of
additional damage can be determined to be low. For systems where you
don't have confidence that the risk of additional damage is low, we
recommend wiping the system and reloading the software from distribution
media and the data from backups. Our web page for the tool provides a
link to a CERT Coordination Center page with detailed guidance for such
a "wipe and reinstall" process.

Steve Lipner
Security Program Manager
Microsoft Security Response Center

• Previous message: Russ: "PWS and IIS and W2K Pro"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Bring me the head of the sasser Creator!!! ... > currently circulating on the Internet. ... The worm exploits the Local ... > visit the following Web site: ... > Please contact your Antivirus Vendor for additional details about this ... (microsoft.public.security.virus) Re: Strange internet troubles: Virus? ... Marc, ... Use the 'Search Incidents by IP' function on my web site: ... I'll bet good money that you are infected with the Slammer worm... ... (microsoft.public.security) Teen Uses Worm to Promote Site ... Teen Uses Worm to Promote Site ... Manipulation pushes MySpace site to record hits, but raises security ... the most popular member of community Web site MySpace.com earlier this ... (alt.comp.anti-virus) Teen Uses Worm to Promote Site ... Teen Uses Worm to Promote Site ... Manipulation pushes MySpace site to record hits, but raises security ... the most popular member of community Web site MySpace.com earlier this ... (alt.comp.anti-virus) Tool for cleaning up the obvious effects of the Code Red II worm ... Tool for cleaning up the obvious effects of the Code Red II worm ... We wanted to let you know that we've posted on our web site a tool that ... additional damage can be determined to be low. ... Security Program Manager ... (Bugtraq)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint