Installing the patch that stops the Code Red worm
|Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.|
This document outlines a quick and easy three-step process for protecting your computer if you are running IIS version 4 or 5 on your computer, and you have not yet installed the patch. To execute this process, you must be logged onto your computer's administrator account, or an account that has administrative privilege on your computer.
To determine whether you are running vulnerable versions of IIS,
Press Ctrl-Alt-Del and select Task Manager.
When the Task Manager window appears, select the Processes tab.
Look down the Image Name column of the window that appears. If you see Inetinfo.exe, you are running IIS.
If you find you are running IIS 4.0 or 5.0, then do the following:
Step 1. Download the patch
1.1 Create a folder anywhere on your hard drive and name it Microsoft-patches so you'll have a place to store this patch and future patches
1.2 Windows 2000 and Windows NT have separate patches. Select the appropriate one and save the file in the folder you created in Step 1.1. Note that we have released a new patch, MS01-044, that contains the Code Red fix (MS01-033), and is a cumulative roll up for ALL previous IIS patches. Customers are urged to apply this new patch to fully protect themselves against all known Code Red issues, as well as all known IIS issues. The instructions detail downloading this new patch.
Windows NT version 4.0: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=32061
Windows 2000 Professional, Server and Advanced Server: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=32011
Step 2. Install the patch
2.1 Go to the Microsoft-patches folder you created in Step 1.1
2.2 Find the patch:
In Windows NT, the patch is named simply: 301625i.exe
In Windows 2000, it is called: 301625_W2K_SP3_x86_en.EXE
2.3 Double click on the patch program
2.4 When it has finished, you will see a small pop-up that shows your system has been updated.
Step 3. Reboot your system to clear the worm from RAM
By rebooting you not only activate your patch, but you also clean out the worm if you had been previously infected
Additional information about the patch and its installation, and the vulnerability it addresses is available at http://www.microsoft.com/technet/security/bulletin/ms01-033.mspx. Note this has been superceded by MS01-044 and customers are urged to apply the updated patch. Please see MS01-044 for more details.
If you are concerned that damage may have been done to your system by the worm, you may wish to follow the recovery procedures documented at http://www.cert.org/tech_tips/root_compromise.html.
The patches can only be installed on Windows 2000 and Window NT 4.0 systems that have had recent service packs installed. If your system does not already have the required service pack, the patch installation will produce an error message advising you that the patch will not install on your system. For free download of Windows 2000 Service Pack 2, go to http://www.microsoft.com/windows2000/downloads/servicepacks/sp2/default.asp. For free download of Window NT 4.0 Service Pack 6a, go to http://www.microsoft.com/ntserver/nts/downloads/recommended/SP6/allSP6.asp.
If you have problems installing the patch, technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches.