RE: Infected with code red II ?

From: McCammon, Keith (
Date: 08/17/01

Message-ID: <>
From: "McCammon, Keith" <>
To: "''" <>,
Subject: RE: Infected with code red II ?
Date: Fri, 17 Aug 2001 12:38:06 -0400

200 is a HTTP status code. The 2xx series of codes are all success codes of
one type or another; 200 is a "request fulfilled" code. It has nothing to
do with CodeRed, really.

CodeRed exploits a buffer overrun, which permits a malicious user to use a
legitimate service or application in an illegitimate manner. If you apply
the "CodeRed" patch, the buffer overrun on longer exists. However, the
service is still perfectly legitimate, and the application mapping still
exists (maps .ida and .idq extensions to C:\WINNT\System32\idq.dll). As
long as these mappings are in place, a request could return a 2xx code for
success. If you don't use the service at all, Microsoft recommends that you
eradicate the application mappings from IIS altogether. Go to the Web Site
Properties in ISM, and then to Home Directory, and Configuration. Remove
the .ida and .idq mappings. Restart IIS.

Had to crank this out fast. Hope it helps...

Keith W. McCammon
Sr. Network Engineer
DynCorp HITS

-----Original Message----- From: [] Sent: Thursday, August 16, 2001 7:44 PM To: Cc: Subject: Infected with code red II ?

The following is a sample from my IIS 4.0 server (I get the same activity on my IIS 5.0). I have patched the server and I ran the coderedscanner on my server and it showed that the server is clean. I read on this list that a return code of 200 indicates success and if the server is virus proof it should return an error code ... can someone please confirm this and what error code should be returned. What should the log look like if the infection is cleaned up and this is just a probe?

best regards Imran.