We wanted to let you know that we've posted on our web site a tool that can be used to clean up the obvious effects of the Code Red II worm. The tool performs the following operations: - It removes the malicious files installed by the worm - It reboots the system to clear the hostile code from memory - It removes the mappings that the worm is currently known to install (See the section titled "Cautions" below) - For systems where IIS was enabled, but not in use, it provides an option to permanently disable IIS on the server. The tool and instructions for its use can be found at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsol utions/security/tools/redfix.asp. Because of potential timing issues caused by the way the worm operates, the tool should be run a second time after the reboot We're sure that readers of Bugtraq will understand that the worm exposes any system on which its active to other attacks that could result in an unathorized person gaining complete control of the server. Thus, the tool should only be used to clean up systems where the risk of additional damage can be determined to be low. For systems where you don't have confidence that the risk of additional damage is low, we recommend wiping the system and reloading the software from distribution media and the data from backups. Our web page for the tool provides a link to a CERT Coordination Center page with detailed guidance for such a "wipe and reinstall" process. Steve Lipner Security Program Manager Microsoft Security Response Center
This archive was generated by hypermail 2b30 : Fri Aug 10 2001 - 08:07:06 PDT