[Dshield] [aleph1@securityfocus.com: MS tool to disinfect Code Red II]

Patrick Oonk patrick at pine.nl
Wed Aug 8 18:16:47 GMT 2001


----- Forwarded message from aleph1 at securityfocus.com -----

Date: Tue, 7 Aug 2001 22:32:31 -0600
From: aleph1 at securityfocus.com
To: incidents at securityfocus.com
Subject: MS tool to disinfect Code Red II

Over the past couple of days some folks at Microsoft have been
working on a tool to disinfect Code Red II systems. As discussed
on the list the appropriate solution to a Code Red II infection is
a full reinstall as the backdoor may have been used to compromise
the system further, but this tools provides an alternative to those
people not willing to go through a reinstall.

You can find the tool at:
http://www.microsoft.com/technet/itsolutions/security/tools/redfix.asp

I'll reprint Microsoft's warning:

* THE TOOL ONLY ELIMINATES THE EFFECTS OF THE CODE RED II WORM. IT DOES 
  NOT ELIMINATE THE EFFECT OF OTHER VARIANTS OF THE WORM.

* IF THE WORM HAS INFECTED YOUR SYSTEM, YOUR SYSTEM HAS BEEN OPENED TO 
  ADDITIONAL FORMS OF ATTACK. THIS TOOL ONLY ELIMINATES THE DIRECT EFFECTS 
  OF THE WORM - IT DOES NOT ELIMINATE ANY ADDITIONAL DAMAGE THAT OTHER 
  ATTACKS MAY HAVE CAUSED WHILE YOUR SERVER WAS INFECTED.

* WHILE THIS TOOL IS USEFUL IN ELIMINATING THE EFFECTS OF THE CODE RED II 
  WORM ON INTERNAL SERVERS THAT ARE PROTECTED FROM THE INTERNET BY A ROUTER 
  OR FIREWALL, MICROSOFT RECOMMENDS THAT INFECTED INTERNET-FACING SERVERS 
  BE REBUILT ACCORDING TO THE GUIDELINES PUBLISHED ON THE CERT WEB SITE . 
  IN ADDITION, ANY OTHER SERVERS THAT ARE JUDGED TO HAVE BEEN PUT AT RISK 
  BY THEIR PROXIMITY TO INFECTED SERVERS SHOULD ALSO BE REBUILT RATHER THAN 
  BEING PLACED BACK INTO SERVICE.

-- 
Elias Levy
SecurityFocus.com
http://www.securityfocus.com/
Si vis pacem, para bellum

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com



----- End forwarded message -----

-- 
 Patrick Oonk - PO1-6BONE - E: patrick at pine.nl - www.pine.nl/~patrick
 Pine Internet  -  PAT31337-RIPE  -   Hushmail: p.oonk at my.security.nl
 T: +31-70-3111010  -   F: +31-70-3111011   -  http://security.nl
 PGPID 155C3934 fp DD29 1787 8F49 51B8 4FDF  2F64 A65C 42AE 155C 3934
 Excuse of the day: Cosmic ray particles crashed through the hard
 disk platter




More information about the list mailing list