The script isn't looking for "multiple" explorer processes, although it is aware of them. What it is looking for specifically is a single-thread explorer process. What NT4 SP are you running? There may be a bug in that part of the script or your WMI support may be lacking; I'll look into it deeper on my end. Jim Harrison MCP(2K), A+, Network+, PCG ----- Original Message ----- From: "admin" <admin@xxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Wednesday, August 08, 2001 07:45 Subject: [isalist] Re: Code Red Sniffer http://www.ISAserver.org Ok, I really hope this isn't a stupid question, but here goes. I installed the patches (nt4 and win2k) around the 17th of last month and also removed the associations for .ida etc. The checker from symantec said that everything was ok. Then I ran the sniffer and got the results below from my nt4/iis4 systems. Does anyone know under what valid circumstances you can have multiple exporer tasks running ? Many TIA Richard Code Red infection search for NT5NEW on 8/8/01 7:03:30 AM ** Checking for the bad 'explorer.exe' and 'root.exe' files C:\explorer.exe - not found C:\inetpub\Scripts\Root.exe - not found C:\progra~1\Common~1\System\MSADC\Root.exe - not found D:\explorer.exe - not found D:\inetpub\Scripts\Root.exe - not found D:\progra~1\Common~1\System\MSADC\Root.exe - not found E:\explorer.exe - not found E:\inetpub\Scripts\Root.exe - not found E:\progra~1\Common~1\System\MSADC\Root.exe - not found F:\explorer.exe - not found F:\inetpub\Scripts\Root.exe - not found F:\progra~1\Common~1\System\MSADC\Root.exe - not found G:\explorer.exe - not found G:\inetpub\Scripts\Root.exe - not found G:\progra~1\Common~1\System\MSADC\Root.exe - not found H:\explorer.exe - not found H:\inetpub\Scripts\Root.exe - not found H:\progra~1\Common~1\System\MSADC\Root.exe - not found J:\explorer.exe - not found J:\inetpub\Scripts\Root.exe - not found J:\progra~1\Common~1\System\MSADC\Root.exe - not found K:\explorer.exe - not found K:\inetpub\Scripts\Root.exe - not found K:\progra~1\Common~1\System\MSADC\Root.exe - not found ** Checking for the bad Virtual Folders entries HKLM\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\/C - not found HKLM\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\/D - not found ** Checking for the bad System File Checker entry HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable - not found ** Checking for the rogue Explorer.exe Rogue Explorer process - found ** you've definitely been infected ! ** ** You have one or more definite indications of Code Red V2 on your system. ** You need to flatten this box and start over. DO NOT connect to a network ** until you have completely rebuilt the system AND installed the security ** patch from Microsoft. ----------------- EOM --------------- > http://www.ISAserver.org > > > > This is a multi-part message in MIME format. > ---------------------------------------------------------------------------- ---- > Hello weary Code Red battlers, > > I've created a script that searches your system to sniff out the Code Red > worm. Since I had to help a hapless friend who's web farm was destroying > itself, I had to make the search a little more streamlined. > > It does: > 1. find the (presently) known droppings Code Red leaves in its wake > 2. leave a log file on your system as "C:\CodeRed_insp_<MachName>.log" > 3. tell you if definitely identifies Code Red > It DOES NOT: > 1. say that Code Red is NOT on your system > 2. attempt to clean Code Red from your system; this is a box-flattening > worm > > Since Code Red is known to sleep for at least 24 hours before trashing your > box, you should run this script at least daily for the next several days to > see if anything new shows up. > > It ain't much, but it's something, anyway... Good luck to all. > > > Jim Harrison > MCP(2K), A+, Network+, PCG > > ---------------------------------------------------------------------------- ---- > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: admin@xxxxxxxxxxx > To unsubscribe send a blank email to $subst('Email.Unsub') > ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')