There was a bug in the previous version because of the following IIS behavior - when you put a virtual root mapping into the registry, IIS will pick it up when it starts. If you then come along and take it out from the registry, IIS will put back the virtual roots that it has in it's metabase when it starts. This has one beneficial side-effect - if you haven't removed /Scripts or /MSADC previously, IIS will overwrite the worm's wide-open permissions with the permissions in the metabase, but it does mean that you can't get rid of the mappings simply by undoing the damage in the registry. There will be a new version on the site shortly that removes worm-generated mappings from the metabase. Hopefully, this should not need to be repeated, but I'll repeat it anyway. If your system got the worm and was internet-exposed, a full rebuild is the only way to assure you're rid of both the worm and any other attackers. If the system was internal, then you need to make a risk-benefit trade-off yourself, and because some attackers are internal, it is still best to rebuild. Because some people might have a lot of systems to go clean up, the hope is that the tool will help in the interim. > -----Original Message----- > From: aleph1at_private [mailto:aleph1at_private] > Sent: Tuesday, August 07, 2001 9:33 PM > To: incidentsat_private > Subject: MS tool to disinfect Code Red II > > > Over the past couple of days some folks at Microsoft have > been working on a tool to disinfect Code Red II systems. As > discussed on the list the appropriate solution to a Code Red > II infection is a full reinstall as the backdoor may have > been used to compromise the system further, but this tools > provides an alternative to those people not willing to go > through a reinstall. > > You can find the tool at: > http://www.microsoft.com/technet/itsolutions/s> ecurity/tools/redfix.asp > > I'll reprint Microsoft's warning: > > * THE TOOL ONLY ELIMINATES THE EFFECTS OF THE CODE RED II > WORM. IT DOES > NOT ELIMINATE THE EFFECT OF OTHER VARIANTS OF THE WORM. > > * IF THE WORM HAS INFECTED YOUR SYSTEM, YOUR SYSTEM HAS BEEN > OPENED TO > ADDITIONAL FORMS OF ATTACK. THIS TOOL ONLY ELIMINATES THE > DIRECT EFFECTS > OF THE WORM - IT DOES NOT ELIMINATE ANY ADDITIONAL DAMAGE > THAT OTHER > ATTACKS MAY HAVE CAUSED WHILE YOUR SERVER WAS INFECTED. > > * WHILE THIS TOOL IS USEFUL IN ELIMINATING THE EFFECTS OF THE > CODE RED II > WORM ON INTERNAL SERVERS THAT ARE PROTECTED FROM THE > INTERNET BY A ROUTER > OR FIREWALL, MICROSOFT RECOMMENDS THAT INFECTED > INTERNET-FACING SERVERS > BE REBUILT ACCORDING TO THE GUIDELINES PUBLISHED ON THE > CERT WEB SITE . > IN ADDITION, ANY OTHER SERVERS THAT ARE JUDGED TO HAVE BEEN > PUT AT RISK > BY THEIR PROXIMITY TO INFECTED SERVERS SHOULD ALSO BE > REBUILT RATHER THAN > BEING PLACED BACK INTO SERVICE. > > -- > Elias Levy > SecurityFocus.com > http://www.securityfocus.com/ > Si vis pacem, para bellum > > -------------------------------------------------------------- > -------------- > This list is provided by the SecurityFocus ARIS analyzer > service. For more information on this free incident handling, > management > and tracking system please see: http://aris.securityfocus.com > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Aug 09 2001 - 10:42:37 PDT