Hi,
My machine is NT4 Sp6a and I've applied the MS patch in June.
I've only found (last week) root.exe within c:\inetpub\scripts (only in
this folder).
I've deleted this file and restarted the server.
Passing your vbs script I see this results:
************************************************
Code Red infection search for PDC on 8/8/01 8:56:02 AM
** Checking for the bad 'explorer.exe' and 'root.exe' files
C:\explorer.exe - not found
C:\inetpub\Scripts\Root.exe - not found
C:\progra~1\Common~1\System\MSADC\Root.exe - not found
E:\explorer.exe - not found
E:\inetpub\Scripts\Root.exe - not found
E:\progra~1\Common~1\System\MSADC\Root.exe - not found
** Checking for the bad Virtual Folders entries
HKLM\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\/C -
not found
HKLM\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\/D -
not found
** Checking for the bad System File Checker entry
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable -
not found
** Checking for the rogue Explorer.exe
Rogue Explorer process - found
** you've definitely been infected ! **
** You have one or more definite indications of Code Red V2 on your system.
** You need to flatten this box and start over. DO NOT connect to a network
** until you have completely rebuilt the system AND installed the security
** patch from Microsoft.
********************************************************************
What can I do if this is true ?
Javier Gonzalez
Madrid (spain)
-----Mensaje original-----
De: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Enviado el: miércoles, 08 de agosto de 2001 08:45
Para: [ISAserver.org Discussion List]
CC: CommuniGate Pro Discussions
Asunto: [isalist] Code Red Sniffer
Importancia: Alta
http://www.ISAserver.org
This is a multi-part message in MIME format..