Re: Code Red Sniffer

• From: "Jim Harrison" <jim@xxxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Wed, 8 Aug 2001 08:38:49 -0700

The script isn't looking for "multiple" explorer processes, although it is
aware of them.  What it is looking for specifically is a single-thread
explorer process.
What NT4 SP are you running?
There may be a bug in that part of the script or your WMI support may be
lacking; I'll look into it deeper on my end.

Jim Harrison
MCP(2K), A+, Network+, PCG


----- Original Message -----
From: "admin" <admin@xxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Wednesday, August 08, 2001 07:45
Subject: [isalist] Re: Code Red Sniffer


http://www.ISAserver.org


Ok,

I really hope this isn't a stupid question, but here goes. I installed the
patches (nt4 and win2k) around the 17th of last month and also removed the
associations for .ida etc. The checker from symantec said that everything
was ok. Then I ran the sniffer and got the results below from my nt4/iis4
systems. Does anyone know under what valid circumstances you can have
multiple exporer tasks running ?

Many TIA

Richard

Code Red infection search for NT5NEW on 8/8/01 7:03:30 AM


  **  Checking for the bad 'explorer.exe' and 'root.exe' files
C:\explorer.exe - not found

C:\inetpub\Scripts\Root.exe - not found

C:\progra~1\Common~1\System\MSADC\Root.exe - not found

D:\explorer.exe - not found

D:\inetpub\Scripts\Root.exe - not found

D:\progra~1\Common~1\System\MSADC\Root.exe - not found

E:\explorer.exe - not found

E:\inetpub\Scripts\Root.exe - not found

E:\progra~1\Common~1\System\MSADC\Root.exe - not found

F:\explorer.exe - not found

F:\inetpub\Scripts\Root.exe - not found

F:\progra~1\Common~1\System\MSADC\Root.exe - not found

G:\explorer.exe - not found

G:\inetpub\Scripts\Root.exe - not found

G:\progra~1\Common~1\System\MSADC\Root.exe - not found

H:\explorer.exe - not found

H:\inetpub\Scripts\Root.exe - not found

H:\progra~1\Common~1\System\MSADC\Root.exe - not found

J:\explorer.exe - not found

J:\inetpub\Scripts\Root.exe - not found

J:\progra~1\Common~1\System\MSADC\Root.exe - not found

K:\explorer.exe - not found

K:\inetpub\Scripts\Root.exe - not found

K:\progra~1\Common~1\System\MSADC\Root.exe - not found

  **  Checking for the bad Virtual Folders entries
HKLM\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\/C -
not found

HKLM\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\/D -
not found

  **  Checking for the bad System File Checker entry
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable - not
found

  **  Checking for the rogue Explorer.exe
Rogue Explorer process - found
 **  you've definitely been infected ! **


** You have one or more definite indications of Code Red V2 on your system.
** You need to flatten this box and start over.  DO NOT connect to a network
** until you have completely rebuilt the system AND installed the security
** patch from Microsoft.

-----------------  EOM ---------------


> http://www.ISAserver.org
>
>
>
> This is a multi-part message in MIME format.
>


----------------------------------------------------------------------------
----


> Hello weary Code Red battlers,
>
> I've created a script that searches your system to sniff out the Code Red
> worm.  Since I had to help a hapless friend who's web farm was destroying
> itself,  I had to make the search a little more streamlined.
>
> It does:
>     1. find the (presently) known droppings Code Red leaves in its wake
>     2. leave a log file on your system as "C:\CodeRed_insp_<MachName>.log"
>     3. tell you if definitely identifies Code Red
> It DOES NOT:
>     1. say that Code Red is NOT on your system
>     2. attempt to clean Code Red from your system; this is a
box-flattening
> worm
>
> Since Code Red is known to sleep for at least 24 hours before trashing
your
> box, you should run this script at least daily for the next several days
to
> see if anything new shows up.
>
> It ain't much, but it's something, anyway...  Good luck to all.
>
>
> Jim Harrison
> MCP(2K), A+, Network+, PCG
>
>


----------------------------------------------------------------------------
----


> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
admin@xxxxxxxxxxx
> To unsubscribe send a blank email to $subst('Email.Unsub')
>



------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

Other related posts:

• » Code Red Sniffer
• » Re: Code Red Sniffer
• » RE: Code Red Sniffer
• » RE: Code Red Sniffer
• » RE: Code Red Sniffer
• » Re: Code Red Sniffer
• » Re: Code Red Sniffer
• » Re: Code Red Sniffer
• » RE: Code Red Sniffer
• » RE: Code Red Sniffer
• » RE: Code Red Sniffer
• » Re: Code Red Sniffer
• » Re: Code Red Sniffer
• » Re: Code Red Sniffer
• » Re: Code Red Sniffer
• » Re: Code Red Sniffer
• » Re: Code Red Sniffer
• » Re: Code Red Sniffer
• » RE: Code Red Sniffer
• » Re: Code Red Sniffer
• » Re: Code Red Sniffer
• » Re: Code Red Sniffer
• » Re: Code Red Sniffer
• » RE: Code Red Sniffer
• » Re: Code Red Sniffer
• » RE: Code Red Sniffer
• » Re: Code Red Sniffer
• » Re: Code Red Sniffer
• » Re: Code Red Sniffer
• » RE: Code Red Sniffer
• » Re: Code Red Sniffer
• » Re: Code Red Sniffer
• » Re: Code Red Sniffer
• » Re: Code Red Sniffer
• » Re: Code Red Sniffer
• » Re: Code Red Sniffer
• » RE: Code Red Sniffer
• » Re: Code Red Sniffer
• » Re: Code Red Sniffer
• » RE: Code Red Sniffer

1. Home
2. isalist
3. Archive
4. 08-2001

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---