Tool for cleaning up the obvious effects of the Code Red II worm

From: Microsoft Security Response Center (secure@microsoft.com)
Date: 08/10/01


Subject: Tool for cleaning up the obvious effects of the Code Red II worm
Date: Thu, 9 Aug 2001 22:17:41 -0700
Message-ID: <C10F7F33B880B248BCC47DB446738847038F9705@red-msg-07.redmond.corp.microsoft.com>
From: "Microsoft Security Response Center" <secure@microsoft.com>
To: <Bugtraq@securityfocus.com>

We wanted to let you know that we've posted on our web site a tool that
can be used to clean up the obvious effects of the Code Red II worm.
The tool performs the following operations:

- It removes the malicious files installed by the worm
- It reboots the system to clear the hostile code from memory
- It removes the mappings that the worm is currently known to install
(See the section titled "Cautions" below)
- For systems where IIS was enabled, but not in use, it provides an
option to permanently disable IIS on the server.

The tool and instructions for its use can be found at
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsol
utions/security/tools/redfix.asp. Because of potential timing issues
caused by the way the worm operates, the tool should be run a second
time after the reboot

We're sure that readers of Bugtraq will understand that the worm exposes
any system on which its active to other attacks that could result in an
unathorized person gaining complete control of the server. Thus, the
tool should only be used to clean up systems where the risk of
additional damage can be determined to be low. For systems where you
don't have confidence that the risk of additional damage is low, we
recommend wiping the system and reloading the software from distribution
media and the data from backups. Our web page for the tool provides a
link to a CERT Coordination Center page with detailed guidance for such
a "wipe and reinstall" process.

Steve Lipner
Security Program Manager
Microsoft Security Response Center



Relevant Pages

  • Re: Bring me the head of the sasser Creator!!!
    ... > currently circulating on the Internet. ... The worm exploits the Local ... > visit the following Web site: ... > Please contact your Antivirus Vendor for additional details about this ...
    (microsoft.public.security.virus)
  • Re: Strange internet troubles: Virus?
    ... Marc, ... Use the 'Search Incidents by IP' function on my web site: ... I'll bet good money that you are infected with the Slammer worm... ...
    (microsoft.public.security)
  • Teen Uses Worm to Promote Site
    ... Teen Uses Worm to Promote Site ... Manipulation pushes MySpace site to record hits, but raises security ... the most popular member of community Web site MySpace.com earlier this ...
    (alt.comp.anti-virus)
  • Teen Uses Worm to Promote Site
    ... Teen Uses Worm to Promote Site ... Manipulation pushes MySpace site to record hits, but raises security ... the most popular member of community Web site MySpace.com earlier this ...
    (alt.comp.anti-virus)
  • Tool for cleaning up the obvious effects of the Code Red II worm
    ... Tool for cleaning up the obvious effects of the Code Red II worm ... We wanted to let you know that we've posted on our web site a tool that ... additional damage can be determined to be low. ... Security Program Manager ...
    (NT-Bugtraq)