-----Original Message----- From: The SANS Institute [mailto:sans@xxxxxxxx] Sent: quarta-feira, 8 de agosto de 2001 19:48 To: Hugo Caye Subject: SANS NewsBites Vol. 3 Num. 32 To: Hugo Caye (SD569595) From: Alan for the SANS NewsBites service Re: August 8 SANS NewsBites -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 A very busy week. .. [snip] Code Red II: Cleaning Up After the Compromise - ---------------------------------------------- Many people have been asking: "How do I get rid of the Code Red II worm once it has infected a system?" Code Red II installs a backdoor that is open to any attacker. This means that it is impossible to tell what changes may have been made while the Code Red II backdoor was open. We are facing a public health problem. Many people who had unpatched IIS servers had no knowledge that IIS was running on their systems. An administrator can remove the Code Red II worm itself, but any additional backdoors or malicious changes made by follow-on attackers will still remain, undetected, after the worm is removed. The only real solution is to reformat the hard drive and reinstall all the software. For some individuals, this is not an option, the best short cut is probably to update your antivirus signatures to detect any Trojans that might be installed on your system and remove the worm as shown below: It is possible to remove the worm from the system as described here: http://archives.neohapsis.com/archives/incidents/2001-08/0107.html Further, the Privacy Software Corporation is providing a free tool that will help you remove the worm from an infected server: http://www.nsclean.com/cr2kill.html .. [snip]