{\rtf1\ansi\ansicpg1252\deff0\deftab720{\fonttbl{\f0\fswiss MS Sans Serif;}{\f1\froman\fcharset2 Symbol;}{\f2\fmodern Courier New;}{\f3\froman Times New Roman;}{\f4\fswiss Courier New;}} {\colortbl\red0\green0\blue0;\red0\green0\blue255;} \deflang1033\pard\plain\f3\fs24 The "Code Red" worm (also known as "Bady" and "Hacked by Chinese") is a worm that exploits fundamental flaws in Microsoft's PSAPI libraries for the primary Microsoft IIS (Internet Information Server) and "front page extensions" Internet Web server services. In its original first release, it resulted in a great deal of damage but its effects were largely in the "DDoS" class or "Distributed Denial of Service" wherein its primary impact was the loss of web sites owing to impaired or destroyed access to those sites. Although Microsoft has released a "patch" for this particular exploit, many sites across the world have failed to install this patch, leaving these Microsoft IIS web servers vulnerable to attack by this worm. \par This exploit attacks Windows 2000 and Windows XP machines which run IIS and is not one of those commonplace "worm viruses" that typically impact only Windows 95, 98 or ME home computer systems. It has a bug which causes it to fail to propagate on Windows NT machines. In addition, it is not a traditional "virus" or "trojan horse" and therefore no antivirus or antitrojan program will help you with this particular nasty because the standard method by which intrusion is detected falls by the wayside since Code Red lives ENTIRELY within the memory of a legitimate program and does drop files, but the worm itself lives inside the memory space of the operating system. The only way to solve this is to destroy your system and render it useless, and that's not an option. \par The SANS INSTITUTE has published a detailed report: \plain\f3\fs24\cf1\ul http://www.incidents.org/react/code_redII.php\plain\f3\fs24 \par The ONLY solution for this problem is to apply the Microsoft patch which can be located at: \par \plain\f3\fs24\cf1\ul http://www.microsoft.com/technet/security/bulletin/MS01-033.asp\plain\f3\fs24 \par In the meantime, your machine can be considered THOROUGHLY compromised and should be reformatted from scratch with the resultant loss of all data on it if you haven't already applied the patch. This worm copies the standard CMD.EXE DOS shell to folders accessible from the outside - A copy is placed into the following folders: \par \pard\tx0\tx959\tx1918\tx2877\tx3836\tx4795\tx5754\tx6713\tx7672\tx8631\plain\f4\fs20 \par C:\\inetpub\\scripts\\root.exe \par \par D:\\inetpub\\scripts\\root.exe depending on which drive holds web hosts \par \par \par and \par \par \par C:\\progra~1\\common~1\\system\\MSADC\\root.exe \par \par D:\\progra~1\\common~1\\system\\MSADC\\root.exe depending on which drive MSADC is installed on. \par \par \pard\plain\f3\fs24 It also creates a trojaned replacement file for EXPLORER.EXE which it places into the "virtual root" folder of drive C: and drive D: which is executed instead of the "real" EXPLORER.EXE and this allows a continuing backdoor even after a cleanup of the worm. This "EXPLORER.EXE" will be found in: \par \pard\tx0\tx959\tx1918\tx2877\tx3836\tx4795\tx5754\tx6713\tx7672\tx8631\plain\f4\fs20 \par C:\\EXPLORER.EXE (the real one is in your \\WINNT folder) \par \par D:\\EXPLORER.EXE \par \pard\plain\f3\fs24 BE SURE TO CHECK for the presence of the above files and delete them regardless of whether CR2Kill detects them or not. The Start button's FIND/SEARCH function is able to detect the presence of these files in the above location. CR2Kill checks for the presence of these files as well as the presence of a GlobalATOM placed by CodeRedII ... any of these will trigger a detection. Once again, more detail will be forthcoming but everyone here is seriously whipped at the moment from lack of sleep. The software will let you know if you're infected or not. \par IF YOU ARE INFECTED, the CR2Kill software will provide instructions step by step in the removal of the infection and will then attempt to start your browser (if you permit it to) to take you DIRECTLY to the Microsoft patch site for this vulnerability. After you've applied the patch, be sure to run the utility once more to ensure you haven't been RE-attacked and exploited in the meantime. Once the patch has been applied and CR2Kill has given you a clean bill of health, the only concern remaining is to ensure that no more ROOT.EXE files remain on your system once all is said and done. \par \plain\f3\fs24\b HOW TO USE CR2KILL\plain\f3\fs24 \par First download CR2KILL.EXE from our site or one of the mirrors listed at the top of this page. \par Additional sites will be made available as soon as arrangements can be made. If you have any difficulty in downloading the CR2KILL.EXE file, we will make other arrangements overnight to increase its availability. Owing to the strenuous circumstances, anyone who does download a copy of CR2KILL.EXE is encouraged to make it available elsewhere, we only ask that you send an email to support@nsclean.com to let US know where it was uploaded just in case any modifications are required after the fact so we can make sure that any site you sent it to has the latest version build should any adjustments be required. The original "pre-release" issued on Sunday was updated on Monday, August 6, 2001 at 9:20AM Eastern US time to include an adjustment for Virtual Pathing registry entry removals. Any copies obtained prior to this final release do not contain this adjustment. \par \pard\qc\plain\f3\fs48\b CR2Kill Support\plain\f3\fs48 \par \pard\plain\f3\fs24 CR2KILL.EXE has been released after testing on Windows NT, Windows2000, Windows XP RC2 and of course WIn95, 98 and ME in our laboratories. After extensive testing without false alarms or failure to detect, no problems have been found. \par \pard\plain\f2\fs20 \par }