||||
Symantec.com > Security Response > Threats and Risks > CodeRed.F
PRINT THIS PAGE

CodeRed.F - Removal

Risk Level 2: Low

Download Removal Tool | Printer Friendly Page

Discovered: March 11, 2003
Updated: February 13, 2007 11:44:14 AM
Also Known As: CodeRed.v3, CodeRed.C, CodeRed III, W32.Bady.C, W32/CodeRed.f.worm [McAfee], Win32.CodeRed.F [CA]
Type: Trojan Horse, Worm
Systems Affected: Microsoft IIS
CVE References: CVE-2001-0500 CVE-2001-0506



Security Response has created a tool to perform a vulnerability assessment of your computer and remove the CodeRed Worm and CodeRed II. To obtain the CodeRed removal tool, click here. If, for any reason you cannot use or obtain the CodeRed removal tool, Manually remove this worm.

Manual removal

To manually remove this worm, apply the required Microsoft patches, remove the files, make several other changes, and then edit the registry. Follow all the instructions sequentially.

Obtaining the patches

Important: Do not skip this step.

Download, obtain, and apply the patch from: http://www.microsoft.com/technet/security/bulletin/MS01-033.asp.

Alternatively, you can download and install the cumulative patch for IIS, which is available at: http://www.microsoft.com/technet/security/bulletin/MS01-044.asp.

Removing the worm files
  1. Terminate the current process associated with the dropped Trojan (Norton AntiVirus detects this as Trojan.VirtualRoot).
    1. Press Ctrl+Alt+Delete, and then click Task Manager.
    2. Click the Processes tab.
    3. Click the Image Name column heading to alphabetically sort the processes. You should see two processes named Explorer.exe: one of them is legitimate, the other is the Trojan.
    4. To ensure that the correct process is terminated, click View, and then click "Select Columns...."
    5. Check the "Thread Count" box, and then click OK.
    6. A new column will appear in the Task Manager listing the current number of threads associated with each process. (You may need to scroll to the right to see it.)
    7. Of the two Explorer.exe processes, click the one that has one thread only.
    8. Once selected, click End Process. (A warning message appears.)
    9. Click Yes to terminate the process.
    10. Click File, and then click Exit Task Manager.

  2. Next, delete the Explorer.exe files created on the infected system. These files have the Hidden, System, and Read only attributes.
    1. Click Start, and then click Run.
    2. Type cmd and then press Enter.
    3. Type the following lines:

      cd c:\
      attrib -h -s -r explorer.exe
      del explorer.exe

      pressing Enter after each one.

      This will change to the root directory, remove the attributes, and delete the Trojan from drive C.
    4. Type d:

      and then press Enter.

      This will change the focus to drive D, if it exists. (If drive D does not exist, go to step f.)
    5. Type the following lines:

      cd d:\
      attrib -h -s -r explorer.exe
      del explorer.exe

      pressing Enter after each one.
    6. Type exit, and then press Enter.

  3. Using Windows Explorer, delete the following four files, if they exist (They are copies of the file, %Windir%\root.exe.):
    • C:\Inetpub\Scripts\Root.exe
    • D:\Inetpub\Scripts\Root.exe
    • C:\Progra~1\Common~1\System\MSADC\Root.exe
    • D:\Progra~1\Common~1\System\MSADC\Root.exe

  4. Open the Computer Manager to remove the open shares on the Web server. To do this, right-click the My Computer icon on the desktop, and then click Manage.



    (The Computer Management window appears.)
  5. In the left pane, navigate to \Computer Management (local)\Services and Applications\Default Web Site.
  6. In the right pane, right-click on the drive C icon, and then click Delete. Repeat this step for any other drives listed under the default Web site.



  7. Go to the next section.

Editing the registry

CAUTION: We strongly recommend that you back up the system registry before making any changes. Incorrect changes to the registry could result in permanent data loss or corrupted files. Modify the specified keys only. Refer to the document, "How to back up the Windows registry," before proceeding.
  1. Click Start, and then click Run. (The Run dialog box appears.)
  2. Type regedit, and then click OK. (The Registry Editor opens.)
  3. Navigate to the key:

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\
    Services\W3SVC\Parameters\Virtual Roots

    In the right pane, you will see several values, two of which can be deleted, as CodeRed II created them. Change the others.
  4. Select the value: /C
    Press Delete, and then click Yes to confirm.
  5. Select the value: /D
  6. Press Delete, and then click Yes to confirm.
  7. Double-click the value: /MSADC
  8. Delete the digits 217 only from the current value data and replace them with the digits 201, and then click OK.
  9. Double-click the value: /Scripts
  10. Delete the digits 217 only from the current value data and replace them with the digits 201, then click OK.

    NOTE: The CodeRed Removal tool completely deletes the /MSADC and /Scripts entries from the registry. After using the tool, upon restarting IIS, these entries will be recreated with the proper values.
  11. Do one of the following:
    • If this is not a Windows 2000 system, skip to step 16.
    • If this is a Windows 2000 systems, proceed to step 13.
  12. Navigate to the key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\
    Windows NT\CurrentVersion\WinLogon
  13. In the right pane, double-click the value: SFCDisable
  14. Delete the current value data, and then type 0 (the number zero, not the letter "O"). Click OK.
  15. Exit the Registry Editor.
  16. Restart the computer to ensure that CodeRed II has been properly removed.


Search by name
Example: W32.Beagle.AG@mm
Windows 7
Windows Vista Security
©1995 - 2009 Symantec Corporation
Site Map|
Legal Notices|
Privacy Policy|
|
Contact Us|
Global Sites|
License Agreements|
RSS