Re: Code Red patch issue?

From: Michael J. Cannon (
Date: 08/08/01

Message-ID: <001c01c12046$a9034d50$26389418@scooby>
From: "Michael J. Cannon" <>
To: "Michael J. Cannon" <>, "Cynthia Thorpe" <>, <>
Subject: Re: Code Red patch issue?
Date: Wed, 8 Aug 2001 15:13:59 -0500

Sorry to be so pessimistic. This is MUCH worse than MELISSA or ILY

Here's an article from that MAY offer some help (ie.
securing an inherently insecure platform when patching is not an option):

I'm using hogwash at 3 of 9 sites pretty seems to work in a pinch
and actually offers some interesting alternative hardening strategies.

Michael J. Cannon
----- Original Message -----
From: "Michael J. Cannon" <>
To: "Cynthia Thorpe" <>;
Sent: Wednesday, August 08, 2001 2:47 PM
Subject: Re: Code Red patch issue?

> It'll be interesting to see if M$ responds, Cynthia. (They lurk here).
> PLEASE tell us how this resolves, if you get help offline (or email me
> directly and I'll add it to the NT4/IIS/ISAPI issues whitepaper I'm
> for a coming conference).
> I've got 9 clients who were in the same boat. My advice to them?:
> -You're hosed. Microsoft has stymied you with their 'upgrades.'
> -Your only alternative (from the MS security site) is an upgrade to W2K
> with possible upgrades to Exchange and the possible requirement to setup
> AS on a separate box.
> Meanwhile, get your box off the net, because you're probably 'owned' by
> and will need to clean the box. As soon as you do and put an unpatched
> back on the net, with Indexing, ISAPI filters, or URL re-directs, (some of
> which are required by the Exchange Web Access and TS) enabled, you'll be
> re-infeccted. The current CR II and III install a back-door on the
> targetted box that gives anyone who knows how to take control of the box
> (depending on your Enterprise security) your domain.
> The REALLY interesting thing here is why the SPs and patches don't work.
> Suffice to say, its the fault of Microsoft's business model and
> to the share price of their stock. Despite what they say, their business
> model (that of universally hidden and proprietary code) is dead. Code Red
> and SirCAM and problems of customers such as yourself will simply
> it.
> Michael J. Cannon
> ----- Original Message -----
> From: "Cynthia Thorpe" <>
> To: <>
> Sent: Tuesday, August 07, 2001 9:22 AM
> Subject: Code Red patch issue?
> > Hi,
> > I'm new to the list - and have an issue that I'm hoping someone can
> > assist with. My company is small - and has combined a number of
> applications
> > on just a few servers. We have Exchange 5.5 (running Outlook web access)
> > SP4, and Citrix Terminal Server (NT SP4 for Terminal Server) running on
> the
> > same box. Yes, I know that this isn't great - but it's how they have to
> run
> > at the moment. The Code Red patch fails to install - stating that it
> > install on a Terminal Server PC. Does anyone have any ideas on how to
> > safeguard this server from the virus?
> >
> > Thanks,
> >
> > Cynthia