RE: Code Red Sniffer

  • From: Javier Gonzalez <Javier@xxxxxxxxxx>
  • To: "'[ Discussion List]'" <isalist@xxxxxxxxxxxxx>
  • Date: Wed, 8 Aug 2001 09:24:07 +0200

My machine is NT4 Sp6a and I've applied the MS patch in June. 
I've only found (last week) root.exe within c:\inetpub\scripts  (only in
this folder).
I've deleted this file and restarted the server.

Passing your vbs script I see this results:
  Code Red infection search for PDC on 8/8/01 8:56:02 AM
  **  Checking for the bad 'explorer.exe' and 'root.exe' files
  C:\explorer.exe - not found
  C:\inetpub\Scripts\Root.exe - not found
  C:\progra~1\Common~1\System\MSADC\Root.exe - not found
  E:\explorer.exe - not found
  E:\inetpub\Scripts\Root.exe - not found
  E:\progra~1\Common~1\System\MSADC\Root.exe - not found
  **  Checking for the bad Virtual Folders entries
  HKLM\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\/C -
not found
  HKLM\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\/D -
not found
  **  Checking for the bad System File Checker entry
  HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable -
not found

  **  Checking for the rogue Explorer.exe
    Rogue Explorer process - found
  **  you've definitely been infected ! **

** You have one or more definite indications of Code Red V2 on your system.
** You need to flatten this box and start over.  DO NOT connect to a network
** until you have completely rebuilt the system AND installed the security
** patch from Microsoft.

What can I do if this is true ?

Javier Gonzalez
Madrid (spain)

-----Mensaje original-----
De: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Enviado el: miércoles, 08 de agosto de 2001 08:45
Para: [ Discussion List]
CC: CommuniGate Pro Discussions
Asunto: [isalist] Code Red Sniffer
Importancia: Alta

This is a multi-part message in MIME format..

Other related posts: