Thanks Jim..... Although I had already updated all our servers more than a week prior to the "hit"... I ran your script. It seems that I was not as thorough as I had initially thought. I had neglected to do one NT 4 machine. Thanks to you, things are back to normal. -- Scott > http://www.ISAserver.org > > > > This is a multi-part message in MIME format. > > Hello weary Code Red battlers, > > I've created a script that searches your system to sniff out the Code Red > worm. Since I had to help a hapless friend who's web farm was destroying > itself, I had to make the search a little more streamlined. > > It does: > 1. find the (presently) known droppings Code Red leaves in its wake > 2. leave a log file on your system as "C:\CodeRed_insp_<MachName>.log" > 3. tell you if definitely identifies Code Red > It DOES NOT: > 1. say that Code Red is NOT on your system > 2. attempt to clean Code Red from your system; this is a box-flattening > worm > > Since Code Red is known to sleep for at least 24 hours before trashing your > box, you should run this script at least daily for the next several days to > see if anything new shows up. > > It ain't much, but it's something, anyway... Good luck to all. > > > Jim Harrison > MCP(2K), A+, Network+, PCG > > > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > sandeman@xxxxxxxxxxxxxxxxxxxxx > To unsubscribe send a blank email to $subst('Email.Unsub') >