Anyone on the list that is a VBScript programmer that wants to write a disinfection tool for Code Red II? The scripts would need to: 1. Download Microsoft's patch for the index server vulnerability and verify its MD5 hash. 2. If the system is not running at SP2 and does not have applied the patch associated with MS00-052, download the patch associated with that advisory and verify its MD5 hash. 3. Ask the user to disconnect the machine from the Internet and wait for him to do so. 4. Shutdown IIS. The main worm code will no longer be memory resident. 5. If either of the backdoor files C:\inetpub\scripts\root.exe or D:\inetpub\scripts\root.exe exist delete them. 5. If either of the trojan files C:\explorer.exe or D:\explorer.exe exist delete them. 5. If the system is not running at SP2 and does not have applied the patch associated with MS00-052 install the patch associated with that advisory. 6. Restart the system. The explorer.exe trojan will no longer be memory resident, if it ever was. 7. Reset the following registry keys to either their default value or by prompting the user: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\Scripts SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\msadc 8. Delete the following registry keys: SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\c SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\d 9. Apply the patch for the index server vulnerability. 8. Restart the system. 9. Ask the user to reconnect the system to the network. -- Elias Levy SecurityFocus.com http://www.securityfocus.com/ Si vis pacem, para bellum ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Aug 05 2001 - 18:16:19 PDT