RE: IIS Worm

["Gareth Cook/STA/Lotus" <gcook@xxxxxxx>]

There are two recent hits - first was CodeRed, and last week, CodeBlue

CodeRed
To remove the worm:


Automated Process

Download the Microsoft fix tool.  This tool will remove the effects of the
Code Red Virus.  You still need to apply the IIS patch to prevent
re-infection.

This tool will reboot Windows 2000 systems.  Windows NT systems need to
reboot after applying the Microsoft Fix tool.  Regardless, please ensure
that a reboot has taken place after applying the fix tool.


Manual Process

1. Download, obtain and apply the patch from the following Web site:

http://www.microsoft.com/technet/security/bulletin/MS01-033.asp

2. Terminate the current process associated with the dropped Trojan (NAV
detects this as Trojan.VirtualRoot) by following these steps:


1. Press CTRL-ALT-DELETE and click on Task Manager.
2. Click on the tab titled Processes.
3. Click on the box titled Image Name to sort the processes alphabetically.
4. You should find 2 processes titled Explorer.exe, one of them is
legitimate, the other is the Trojan.
5. To insure that the correct process is terminated, from the View menu
choose "Select Columns...".
6. Once the dialog box opens make sure there is a checkmark in the
"Thread
Count" box, then select OK.
7. A new column will appear in the Task manager listing the current number
of threads associated with each process.
8. Of the 2 Explorer.exe processes, click on the one which has only 1
thread.
9. Once selected, press the End Process button located at the bottom of the
Task Manager window.
10. A warning message will appear, click YES to terminate the process.
11. Close the Task Manager by selecting the option End Task Manager from
the File menu.


3. Next you must delete the explorer.exe files which have been created on
the infected system. These files are hidden, system files which are read
only. To delete them, perform the following steps:


1. Open a command prompt by clicking on Start -> Run.
2. Type in cmd and hit enter.
3. Change to the root directory by typing cd c:\ and hitting enter.
4. You will be required to change the attributes on the explorer.exe file.
This is done by typing the command attrib -h -s -r explorer.exe and hitting
enter.
5. Then type del explorer.exe and hit enter. The Trojan will be deleted
from the C drive.
6. At the prompt, type d: then hit enter to change to the D drive if
present.
7. Change to the root directory by typing cd d:\ and hitting enter.
8. You will be required to change the attributes on the explorer.exe file.
This is done by typing the command attrib -h -s -r explorer.exe and hitting
enter.
9. Then type del explorer.exe and hit enter. The Trojan will be deleted
from the D drive.
10. Type exit and hit enter to close the command prompt window.


4. It is safe to delete the following 4 files if they exist (They are
simply copies of the file %Windir%\root.exe):
C:\inetpub\Scripts\Root.exe
D:\inetpub\Scripts\Root.exe
C:\progra~1\Common~1\System\MSADC\Root.exe
D:\Progra~1\Common~1\System\MSADC\Root.exe


5. The final step requires modifying the registry to undo the changes which
have been made. Please see the next section titled To edit the registry and
remove keys and changes made by the worm to complete the removal process.


To edit the registry and remove keys and changes made by the worm:

CAUTION: We strongly recommend that you back up the system registry before
making any changes. Incorrect changes to the registry can result in
permanent data loss or corrupted files. Please make sure you modify only
the keys specified in this document. For more information about how to back
up the registry, please read How to back up the Windows registry before
proceeding with the following steps. If you are concerned that you cannot
follow these steps correctly, then please do not proceed. Consult a
computer technician for more information.

1. Click Start, and click Run. The Run dialog box appears.
2. Type regedit and hit enter to start the Registry editor.
3. Navigate to and select the following key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\W3SVC\Parameters\Virtual Roots

4. In the right window pane you will see a number of values. 2 of these
values can be deleted entirely as they were created by CodeRed.v3.


1. Select the value

/C

2. Press Delete and then click Yes to confirm.
3. Select the value

/D

4. Press Delete and then click Yes to confirm.
5. Double-click the value

/MSADC

6. Delete only the digits 217 from the current value data and replace them
with the digits 201, then click OK.
7. Double-click the value

/Scripts

8. Delete only the digits 271 from the current value data and replace them
with the digits 201, then click OK.


5. Steps 5-7 apply to Windows 2000 systems. Navigate to and select the
following key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\
CurrentVersion\WinLogon

6. Double-click the value

SFCDisable

7. Delete the current value data, and then type: 0 (That is, type the
following character: zero), then click OK.
8. Reboot the system to insure that CodeRed.v3 has been properly removed.







CodeBlue
Patch availability

NOTE> If you install IIS after the patch is applied, you MUST reapply
the
Microsoft Patch again

Download locations for this patch
Windows NT 4.0:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30833
Windows 2000 Professional, Server and Advanced Server:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30800
Windows 2000 Datacenter Server:
Patches for Windows 2000 Datacenter Server are hardware-specific and
available from the original equipment manufacturer.
Windows XP beta:
The vulnerability is eliminated beginning with Windows XP Release Candidate
1.


--------------+---------------------+----------------------+------------------------
(Embedded   Gareth Cook          Office:  +44 (0) 1784      Work: g@xxxxxxx
image moved  Senior Engineering          445 166                     
Personal:
to file:    Specialist           Mobile:  +44 (0) 7980        g@xxxxxxx
pic06900.jpg) EMEA ED, IBM SWG            445 166             AIM Chat :
TheBoyG
Lotus Park, Staines,   Fax:      +44 (0)
TW18 3AG                 1784 499 166
--------------+---------------------+----------------------+------------------------



----- Forwarded by Gareth Cook/STA/Lotus on 18/09/2001 23:00 -----

Discussion       .
Main Topic
Subject:
"Graham Howe"      .
<graham@xxxxxxx>            RE: [ukha_d] IIS Worm
Today 21:32                  .
Category:




----------------------+--------------------------------------------------------------------------------------



My server has been hit, any idead what to do about it?

Graham

> -----Original Message-----
> From: Mark Hetherington (egroups)
> [mailto:mark.egroups@xxxxxxx]
> Sent: 18 September 2001 21:02
> To: ukha_d@xxxxxxx
> Subject: RE: [ukha_d] IIS Worm
>
>
> A seemingly very prolific one it seems given the huge number of http
> requests my PC is getting. (There is a web server there but
> no tpublished
> and nothing on it) Getting 4+ attempts per incoming IP so
> seems likely to be
> the worm. I have been getting them for a while now but
> tonight has been
> almost constant since logon.
>
> My Norton Internet Security installation has never been so busy :)
>
> Mark.
>
> > -----Original Message-----
> > From: Broadfoot, Kieran J [mailto:Kieran.Broadfoot@xxxxxxx]
> > Sent: 18 September 2001 17:40
> > To: 'ukha_d@xxxxxxx'
> > Subject: [ukha_d] IIS Worm
> >
> >
> >
> > Those of you who need to concern yourselves with these
> kinds of things
> > probably know but for those who dont you might want to shut
> down your IIS
> > servers if you are directly connected to the web right now
> (w32.nimda.amm)
> >
> > There is a rather nasty new worm out and about on a pipe near
you.
> >
> > http://slashdot.org/articles/01/09/18/151203.shtml
> >
> > Thanks
> >        kieran
> >
> > For more information: http://www.automatedhome.co.uk
> > Post message: ukha_d@xxxxxxx
> > Subscribe:  ukha_d-subscribe@xxxxxxx
> > Unsubscribe:  ukha_d-unsubscribe@xxxxxxx
> > List owner:  ukha_d-owner@xxxxxxx
> >
> > Your use of Yahoo! Groups is subject to
> http://docs.yahoo.com/info/terms/
> >
> >
> >
>
>
> For more information: http://www.automatedhome.co.uk
> Post message: ukha_d@xxxxxxx
> Subscribe:  ukha_d-subscribe@xxxxxxx
> Unsubscribe:  ukha_d-unsubscribe@xxxxxxx
> List owner:  ukha_d-owner@xxxxxxx
>
> Your use of Yahoo! Groups is subject to
> http://docs.yahoo.com/info/terms/
>
>
>
>


For more information: http://www.automatedhome.co.uk
Post message: ukha_d@xxxxxxx
Subscribe:  ukha_d-subscribe@xxxxxxx
Unsubscribe:  ukha_d-unsubscribe@xxxxxxx
List owner:  ukha_d-owner@xxxxxxx

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/




For more information: http://www.automatedhome.co.uk
Post message: ukha_d@xxxxxxx
Subscribe:  ukha_d-subscribe@xxxxxxx
Unsubscribe:  ukha_d-unsubscribe@xxxxxxx
List owner:  ukha_d-owner@xxxxxxx

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/

pic06900.jpg