1. Symantec/
  2. Security Response/
  3. CodeRed II

CodeRed II - Removal

Risk Level 2: Low

Discovered:
August 4, 2001
Updated:
February 13, 2007 11:37:00 AM
Also Known As:
CodeRed.v3, CodeRed.C, CodeRed III, W32.Bady.C, CodeRed.F
Type:
Trojan Horse, Worm
Systems Affected:
Microsoft IIS
CVE References:
CVE-2001-0500 CVE-2001-0506

Security Response has created a CodeRed removal tool to perform a vulnerability assessment of your computer and remove the CodeRed Worm and CodeRed II. If for any reason you cannot use or obtain the tool, manually remove this worm.

Manual removal

To manually remove this worm, apply the required Microsoft patches, remove the files, make several other changes, and then edit the registry. Follow all the instructions in sequential order.

Obtaining the patches
NOTE: Do not skip this step, as it is important.

Download, obtain, and apply the patch from the following Web site:

http://www.microsoft.com/technet/security/bulletin/MS01-033.asp

Alternatively, you can download and install the cumulative patch for IIS, which is available at:

http://www.microsoft.com/technet/security/bulletin/MS01-044.asp

Removing the worm files
  1. Terminate the current process associated with the dropped Trojan (Norton AntiVirus detects this as Trojan.VirtualRoot):
    1. Press Ctrl+Alt+Delete, and then click Task Manager.
    2. Click the Processes tab.
    3. Click the Image Name column heading to alphabetically sort the processes. You should see two processes named Explorer.exe: one of them is legitimate, the other is the Trojan.
    4. To ensure that the correct process is terminated, click View and then click "Select Columns...."
    5. Check the "Thread Count" box, and then click OK.
    6. A new column will appear in the Task Manager that lists the current number of threads associated with each process. (You may have to scroll to the right to see it.)
    7. Of the two Explorer.exe processes, click the one that has only one thread.
    8. Once selected, click End Process. (A warning message appears.)
    9. Click Yes to terminate the process.
    10. Click File, and then click Exit Task Manager.

  2. Next, delete the Explorer.exe files that were created on the infected system. These files have the Hidden, System, and Read Only attributes.
    1. Click Start, and then click Run.
    2. Type: cmd

      and then press Enter.

    3. Type the following lines (pressing Enter after each line):

      cd c:\
      attrib -h -s -r explorer.exe
      del explorer.exe


      This will change to the root directory: remove the attributes and delete the Trojan from drive C.

    4. Type the following:

      d:

      and then press Enter. This will change the focus to drive D if it exists. (If drive D does not exist, skip to step f.)

    5. Type the following lines (pressing Enter after each line):

      cd d:\
      attrib -h -s -r explorer.exe
      del explorer.exe


    6. Type: exit

      and then press Enter.

  3. Using Windows Explorer, delete the following four files if they exist (They are copies of the file, %Windir%\root.exe):
    • C:\Inetpub\Scripts\Root.exe
    • D:\Inetpub\Scripts\Root.exe
    • C:\Progra~1\Common~1\System\MSADC\Root.exe
    • D:\Progra~1\Common~1\System\MSADC\Root.exe

  4. Open the Computer Manager to remove the open shares on the Web server. To do this, right-click the My Computer icon on the desktop, and then click Manage.





    The Computer Management window appears.
  5. In the left pane, navigate to: \Computer Management (local)\Services and the Applications\Default Web Site.
  6. In the right pane, right-click on the drive C icon, and then click Delete. Repeat this step for any other drives that are listed under the Default Web Site.




  7. Proceed to the next section.

Editing the registry

CAUTION: We strongly recommend that you back up the system registry before making any changes. Incorrect changes to the registry could result in permanent data loss or corrupted files. Make sure to modify the specified keys only. Refer to, "How to back up the Windows registry," before you proceed.
  1. Click Start, and then click Run. (The Run dialog box appears.)

  2. Type regedit, and then click OK. (The Registry Editor opens.)

  3. Navigate to the key:

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\
    Services\W3SVC\Parameters\Virtual Roots


    In the right pane you will see several values. Two of these values can be deleted, as CodeRed II created them; change the others.

  4. Select the value:

    /C

  5. Press Delete, and then click Yes to confirm.

  6. Select the value:

    /D

  7. Press Delete, and then click Yes to confirm.

  8. Double-click the value: /MSADC

  9. Delete the digits 217 only from the current value data and replace them with the digits 201, and then click OK.

  10. Double-click the value: /Scripts

  11. Delete the digits 217 only from the current value data and replace them with the digits 201, and then click OK.

    NOTE: The CodeRed Removal tool completely deletes the /MSADC and /Scripts entries from the registry. After using the tool, upon restarting IIS, the proper values will recreate these entries.

  12. Do one of the following:
    • If this is not a Windows 2000 system, skip to step 16.
    • If this is a Windows 2000 systems, proceed to step 13.

  13. Navigate to the key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\
    Windows NT\CurrentVersion\WinLogon


  14. In the right pane, double-click the value:

    SFCDisable

  15. Delete the current value data, and then type 0 (That is, the number zero, not the letter "O"). Click OK.
  16. Exit the Registry Editor.
  17. Restart the computer to ensure that CodeRed II has been properly removed.


Writeup By: Peter Szor, Eric Chien

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
2016 Internet Security Threat Report, Volume 21
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube