Re: Method to Clean up IIS servers hit by CRv2

From: Ralph Mellor (ralphat_private)
Date: Mon Aug 06 2001 - 11:27:22 PDT

Next message: dep: "Re: CR vs. CoreBuilder"

Previous message: Emory Wood: "Re: CodeRedII worm.."
In reply to: dmuz: "Method to Clean up IIS servers hit by CRv2"
Next in thread: Doug.Barbinat_private: "RE: Method to Clean up IIS servers hit by CRv2"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> So far I've been doing the following:
>
> 1. Patch the server.
>
> 2. Remove root.exe from the web directories.
>
> 3. Remove explorer.exe from c: and/or d:
>
> 4. reboot.
>
> My main question is do you need to mess with the registry keys that it
> alters? Are these reset on reboot or do you need to set them to some
> value? If so what values? Or delete them all together?

If you want to be sure the machine is clean you need to wipe it and
start from scratch.

Unlike CR1, CR2 leaves a back door, and you don't know what other
things have been done using that backdoor.


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: dep: "Re: CR vs. CoreBuilder"
Previous message: Emory Wood: "Re: CodeRedII worm.."
In reply to: dmuz: "Method to Clean up IIS servers hit by CRv2"
Next in thread: Doug.Barbinat_private: "RE: Method to Clean up IIS servers hit by CRv2"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Aug 06 2001 - 11:44:47 PDT