Export (0) Print
Expand All

Tool to Remove Obvious Effects of the Code Red II Worm

Microsoft has developed a tool that eliminates the obvious damage that is caused by the Code Red II worm. This tool does the following:

  • Removes the malicious files installed by the worm.

  • Reboots the system to clear the hostile code from memory.

  • Removes mappings that the worm is currently known to install. (See the section titled "Cautions" below.)

  • Provides an option to permanently disable Internet Information Server (IIS) on the server.

CAUTIONS:

  • The tool is not a substitute for proper preventative action. If you are operating a Windows NT 4.0 or Windows 2000 Web server, Microsoft recommends that you apply the patch provided in Microsoft Security Bulletin MS01-044. Doing this prevents the worm from infecting the system, and avoids the need to use this tool.

  • The tool removes the IIS mappings for /Scripts or /MSADC. If your server requires such mappings, you should reinstall them manually after running the tool.

  • Because of the way the worm functions, you should run the tool a second time after the server reboots. This will ensure that the worm is eliminated no matter what state it was in when you ran the tool the first time.

  • THE TOOL ONLY ELIMINATES THE EFFECTS OF THE CODE RED II WORM. IT DOES NOT ELIMINATE THE EFFECT OF OTHER VARIANTS OF THE WORM.

  • IF THE WORM HAS INFECTED YOUR SYSTEM, YOUR SYSTEM HAS BEEN OPENED TO ADDITIONAL FORMS OF ATTACK. THIS TOOL ONLY ELIMINATES THE DIRECT EFFECTS OF THE WORM—IT DOES NOT ELIMINATE ANY ADDITIONAL DAMAGE THAT OTHER ATTACKS MAY HAVE CAUSED WHILE YOUR SERVER WAS INFECTED.

  • WHILE THIS TOOL IS USEFUL IN ELIMINATING THE EFFECTS OF THE CODE RED II WORM ON INTERNAL SERVERS THAT ARE PROTECTED FROM THE INTERNET BY A ROUTER OR FIREWALL, MICROSOFT RECOMMENDS THAT INFECTED INTERNET-FACING SERVERS BE REBUILT ACCORDING TO THE GUIDELINES PUBLISHED ON THE CERT WEB SITE. IN ADDITION, ANY OTHER SERVERS THAT ARE JUDGED TO HAVE BEEN PUT AT RISK BY THEIR PROXIMITY TO INFECTED SERVERS SHOULD ALSO BE REBUILT RATHER THAN BEING PLACED BACK INTO SERVICE.

To clean your system with the tool

  1. Download the tool from http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=9B7A1710-2B5C-4754-94D4-BC6A81A9A054.

  2. Extract it into a directory on the infected machine, such as C:\Cleanup.

  3. Run the tool from the command prompt.

    • From the Start Menu, select Programs, then Accessories, and then Command Prompt.

    • Change to the directory where you extracted the tool. To change directories, type

      cd C:\Cleanup
      
    • Run the tool by typing

      CodeRedCleanup
      
    • If you wish to permanently disable IIS on the server, type

      CodeRedCleanup ?disable
      
    • The tool performs its cleanup actions as specified above. If the tool reboots your machine, you should run it again after the machine reboots. If the tool does not reboot, then your machine is cleaned when the tool returns to the command prompt. The tool produces information messages as it runs that depend on the configuration of your machine; these can be ignored.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft