OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: aleph1securityfocus.com
Date: Sun Aug 05 2001 - 20:11:00 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Anyone on the list that is a VBScript programmer that wants to write
    a disinfection tool for Code Red II?

    The scripts would need to:

    1. Download Microsoft's patch for the index server vulnerability and
       verify its MD5 hash.

    2. If the system is not running at SP2 and does not have applied the
       patch associated with MS00-052, download the patch associated with
       that advisory and verify its MD5 hash.

    3. Ask the user to disconnect the machine from the Internet and wait
       for him to do so.

    4. Shutdown IIS. The main worm code will no longer be memory resident.

    5. If either of the backdoor files C:\inetpub\scripts\root.exe or
       D:\inetpub\scripts\root.exe exist delete them.

    5. If either of the trojan files C:\explorer.exe or D:\explorer.exe exist
       delete them.

    5. If the system is not running at SP2 and does not have applied the
       patch associated with MS00-052 install the patch associated with
       that advisory.

    6. Restart the system. The explorer.exe trojan will no longer be
       memory resident, if it ever was.

    7. Reset the following registry keys to either their default value or by
       prompting the user:
       SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable
       SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\Scripts
       SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\msadc

    8. Delete the following registry keys:
       SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\c
       SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\d

    9. Apply the patch for the index server vulnerability.

    8. Restart the system.

    9. Ask the user to reconnect the system to the network. 

    -- 
Elias Levy
SecurityFocus.com
http://www.securityfocus.com/
Si vis pacem, para bellum

    ----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com