Hi Jim, SP6a - I think ! ta Richard ----- Original Message ----- From: "Jim Harrison" <jim@xxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Wednesday, August 08, 2001 8:38 AM Subject: [isalist] Re: Code Red Sniffer > http://www.ISAserver.org > > > The script isn't looking for "multiple" explorer processes, although it is > aware of them. What it is looking for specifically is a single-thread > explorer process. > What NT4 SP are you running? > There may be a bug in that part of the script or your WMI support may be > lacking; I'll look into it deeper on my end. > > Jim Harrison > MCP(2K), A+, Network+, PCG > > > ----- Original Message ----- > From: "admin" <admin@xxxxxxxxxxx> > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > Sent: Wednesday, August 08, 2001 07:45 > Subject: [isalist] Re: Code Red Sniffer > > > http://www.ISAserver.org > > > Ok, > > I really hope this isn't a stupid question, but here goes. I installed the > patches (nt4 and win2k) around the 17th of last month and also removed the > associations for .ida etc. The checker from symantec said that everything > was ok. Then I ran the sniffer and got the results below from my nt4/iis4 > systems. Does anyone know under what valid circumstances you can have > multiple exporer tasks running ? > > Many TIA > > Richard > > Code Red infection search for NT5NEW on 8/8/01 7:03:30 AM > > > ** Checking for the bad 'explorer.exe' and 'root.exe' files > C:\explorer.exe - not found > > C:\inetpub\Scripts\Root.exe - not found > > C:\progra~1\Common~1\System\MSADC\Root.exe - not found > > D:\explorer.exe - not found > > D:\inetpub\Scripts\Root.exe - not found > > D:\progra~1\Common~1\System\MSADC\Root.exe - not found > > E:\explorer.exe - not found > > E:\inetpub\Scripts\Root.exe - not found > > E:\progra~1\Common~1\System\MSADC\Root.exe - not found > > F:\explorer.exe - not found > > F:\inetpub\Scripts\Root.exe - not found > > F:\progra~1\Common~1\System\MSADC\Root.exe - not found > > G:\explorer.exe - not found > > G:\inetpub\Scripts\Root.exe - not found > > G:\progra~1\Common~1\System\MSADC\Root.exe - not found > > H:\explorer.exe - not found > > H:\inetpub\Scripts\Root.exe - not found > > H:\progra~1\Common~1\System\MSADC\Root.exe - not found > > J:\explorer.exe - not found > > J:\inetpub\Scripts\Root.exe - not found > > J:\progra~1\Common~1\System\MSADC\Root.exe - not found > > K:\explorer.exe - not found > > K:\inetpub\Scripts\Root.exe - not found > > K:\progra~1\Common~1\System\MSADC\Root.exe - not found > > ** Checking for the bad Virtual Folders entries > HKLM\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\/C - > not found > > HKLM\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\/D - > not found > > ** Checking for the bad System File Checker entry > HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable - not > found > > ** Checking for the rogue Explorer.exe > Rogue Explorer process - found > ** you've definitely been infected ! ** > > > ** You have one or more definite indications of Code Red V2 on your system. > ** You need to flatten this box and start over. DO NOT connect to a network > ** until you have completely rebuilt the system AND installed the security > ** patch from Microsoft. > > ----------------- EOM --------------- > > > > http://www.ISAserver.org > > > > > > > > This is a multi-part message in MIME format. > > > > > -------------------------------------------------------------------------- -- > ---- > > > > Hello weary Code Red battlers, > > > > I've created a script that searches your system to sniff out the Code Red > > worm. Since I had to help a hapless friend who's web farm was destroying > > itself, I had to make the search a little more streamlined. > > > > It does: > > 1. find the (presently) known droppings Code Red leaves in its wake > > 2. leave a log file on your system as "C:\CodeRed_insp_<MachName>.log" > > 3. tell you if definitely identifies Code Red > > It DOES NOT: > > 1. say that Code Red is NOT on your system > > 2. attempt to clean Code Red from your system; this is a > box-flattening > > worm > > > > Since Code Red is known to sleep for at least 24 hours before trashing > your > > box, you should run this script at least daily for the next several days > to > > see if anything new shows up. > > > > It ain't much, but it's something, anyway... Good luck to all. > > > > > > Jim Harrison > > MCP(2K), A+, Network+, PCG > > > > > > > -------------------------------------------------------------------------- -- > ---- > > > > ------------------------------------------------------ > > You are currently subscribed to this ISAserver.org Discussion List as: > admin@xxxxxxxxxxx > > To unsubscribe send a blank email to $subst('Email.Unsub') > > > > > > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > jim@xxxxxxxxxxxx > To unsubscribe send a blank email to $subst('Email.Unsub') > > > > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: admin@xxxxxxxxxxx > To unsubscribe send a blank email to $subst('Email.Unsub') >