Removing W32/CodeRed-II ----------------------- August 2001 www.sophos.com W32/CodeRed-II is a Trojan horse dropped by the CodeRed II worm. It affects Windows NT and Windows 2000 computers running Microsoft Internet Information Services (IIS) versions 4 and 5. IIS is installed by default on Windows 2000 Server and is easily installed on Windows 2000 Professional. The files explorer.exe and root.exe take advantage of registry modifications to allow remote access. Details of this worm can be found at http://www.sophos.com/virusinfo/analyses/w32codered2.html The tool these notes refer to can be found at http://www.sophos.com/virusinfo/analyses/rmred.bat 1. Before you start ------------------- You will need a blank floppy disk and an uninfected computer able to access the internet. 2. Downloading the files ------------------------ On an uninfected computer, preferably one not running IIS, go to the W32/CodeRed-II disinfection web page at http://www.sophos.com/support/faqs/codered.html Near the top of the page you will see the sentence 'Please click on rmred.bat.' Click on the words 'rmred.bat' to download the W32/CodeRed-II disinfection batch file. Click on the words 'Readme notes' below to download this text. Save these files to the floppy disk. Go to the Microsoft Security Bulletin (MS01-033) page at http://www.microsoft.com/technet/security/bulletin/ms01-033.asp and download the appropriate patch for your language and operating system (Windows NT or Windows 2000). Save it onto the floppy disk. Write-protect the floppy disk. 3. Running the RMRED batch file from the command prompt ------------------------------------------------------- Go to the infected computer. Log on as Administrator. Close all programs leaving only the Windows Desktop. Place the floppy disk in the A: drive. At the Windows taskbar, select Start|Run. Type A:\RMRED and press . Messages will tell you if your computer is infected, 'Infection Active!' or if there is a further problem. You will also be told if you need to install the Microsoft security patch. Press a key to close the program, then close the program box if necessary. If your computer is uninfected but you have not got the patch, go to section 5 'Installing the Microsoft patch'. If your computer is uninfected and you have got the patch, ensure that your anti-virus software is up-to-date. 4. Clearing the infection ------------------------- Unplug your computer from the internet and any local network. Log off and log on again as Administrator. Run the batch file again. At the Windows taskbar, select Start|Run. Type A:\RMRED and press . In most cases you will be told that the cleaning process has finished. You will also be told if you need to install the Microsoft patch. If problems persist, go to section 8 'Troubleshooting'. 5. Installing the Microsoft patch --------------------------------- You will have been told if the Microsoft patch has not been installed. If you need to install the patch, open drive A: in Windows Explorer and double-click on the file Q300972i.EXE for Windows NT and Q300972_W2K_SP3_x86_en.EXE for Windows 2000. These file names may differ for non-English systems. The patch will be installed automatically. Shut your computer down and reboot it. 6. Check your anti-virus software --------------------------------- Ensure that your copy of Sophos Anti-virus is up-to-date and has the latest virus identities. Run a scan to check that no extra files have been dropped. 7. Checking your network ------------------------ Check all computers on your network running IIS for infection. This may include any Windows 2000 workstation or server. Isolate any other infected computers from the network and disinfect them separately. Patch all Windows 2000 computers and any Windows NT computers running IIS. If you have installed IIS on computers that do not need it, remove it via the Add/Remove programs option in the Windows 2000 Control Panel. When all infected files have been removed you can reconnect your computers to the local network and internet. This disinfector removes the backdoor Trojan, but cannot correct any other compromises or changes made while the backdoor was open. You should review the contents and settings of any affected computers. 8. Troubleshooting ------------------ If you get 'Error 06', check that Microsoft Internet Information Service (IIS) is installed on the computer concerned. For other error messages follow the on-screen instructions. If problems persist, contact Sophos Technical Support. 9. Support ---------- For assistance, please contact Sophos Technical Support. support@sophos.com 07/04/2003 ----------------