- Recommend:
- 0 Comments
Code Red Worm Crawls Again
Here's how to protect your systems from the potential menace's monthly emergence.
How to Track, Kill the Code Red Worm
If you're running IIS, it's just smart management to make sure your system is protected against the Code Red worm family. Here's what you need to do to stomp out the worm, regardless of whether your system has become infected.
First, determine if the worm is residing on your system. If your PC contains the first release of Code Red, the worm exists only in memory and doesn't drop any files on your hard drive. The Code Red II version deposits so-called Trojan horse applications on your system that open it up to further hacking by outsiders.
Several free tools are available to scan your system for infection. You can use Symantec's FixCodeRed Assessment Tool or McAfee's CyberCop WormScan for this function.
If you haven't been infected, you're in luck. Download the Microsoft patch (liltingly named q300972) that prevents Code Red from taking hold on your system. Make sure you choose the correct patch for your operating system: Microsoft offers one for Windows NT 4 and one for Windows 2000 (all versions). Run the downloaded file, and you'll be safe. If you haven't upgraded to Windows 2000 Service Pack 2, now is a good time to do that chore, too.
If your system is infected by Code Red II, you may have additional problems. Between the time the worm wriggled into your system and when you discovered it, hackers may have already made other subtle changes to the affected system, installing other Trojan horse programs or other viruses. Besides installing the patch, conducting a full system scan using an up-to-date antivirus tool is in order. For systems that run critical infrastructure, like a business Web site, you may need to completely format the hard drive and reinstall the operating system from scratch. Or you may have to rebuild the entire drive from a previous full backup, just to be sure your machine is free and clear of nasties.
Removing the Worm
If your system is infected with either Code Red or Code Red II, you still need to install the patch. Also, grab a copy of the Microsoft Code Red hotfix tool. Run the automatic updater for your antivirus software, or download the latest definition files and install them. Now you're ready to begin removing the Code Red II files.
Disconnect your network cable from the back of your PC (or hang up your modem connection) before you begin the cleanup. Begin the cleansing by running the Microsoft Code Red hotfix tool, and follow all the instructions to clean out the various files the worm left behind. (If you prefer to remove the files manually, you can skip this step and continue.)
The first part of the fix involves removing the Trojan horse files installed on your system. Code Red II takes advantage of a little-known default Windows behavior to find certain Windows programs starting in the C:\ directory instead of in the WINNT folder, where system apps reside. Code Red II places the Trojan, cleverly disguised as Explorer.exe, in either your C:\ or D:\ directory. You need to kill the Trojan Explorer while leaving the real Windows Explorer running.
First, close all open Windows Explorer windows. Hit the Ctrl-Alt-Delete keys simultaneously, click the button labeled Task Manager, and select the Processes tab. Sort the list alphabetically by clicking the Image Name tab twice. If the Microsoft tool removed the Trojan properly, you'll only see one explorer.exe. If Code Red remains, you'll see two or more copies of explorer.exe in the list. Only one is the legitimate file, so be careful with this next step.
You need to stop the copy of explorer.exe that is running only one "thread." If you don't see a column labeled Threads, click View, Select Columns and fill in the checkbox labeled Thread Count, then click OK. Now it should be easy to identify which copy of explorer.exe has one thread. Select all the single-thread copies of explorer.exe, then click the End Process button. When the warning dialog displays, click YES to continue; when they're all gone, click File, End Task Manager.
Now that you've stopped the Trojan horse programs, you need to delete them from your hard drive using the Windows command line. Start the command program by clicking Start, Run, type cmd and click the Enter key. Type cd c:\ , hit the Enter key, then attrib -h -s -r explorer.exe and the Enter key again. Now you can type del explorer.exe and hit Enter to remove the file. If you have a D:\explorer.exe file, repeat this process in the D:\ directory by entering cd d:\ and stepping through the rest of the commands.
Would you recommend this story? YES NO
- Recommend:
- 0 Comments
-
Master Windows 7!
Our expert guide will help you get the most out of Windows 7.
-
PCWorld on your iPad!
PCWorldDaily gives you the best from our experts each day.
- 12 Criteria for Selecting the Best ERP System Replacement An ERP system is your information backbone and reaches into all areas of your business and value chain. Replacing it can open unlimited business opportunities. This white paper explains the 12 criteria that allow you to identify and select the solution that will meet these expectations.
- Leveraging Social Computing Technologies for ERP Applications This white paper details how Web 2.0 technologies support business strategies by improving efficiency, productivity, and collaboration.
-
Facebook Eyes Facial Recognition Firm for Purchase, Report
-
Information of U.S. Federal Employees Exposed
-
Fill Your Mobile Security Toolbox
-
NASA Denies Iranian Cyberattack
-
Gartner: Don't Trust Cloud Provider to Protect Your Corporate Assets
-
Google Warns: Clean Your PC or Lose Internet Access
-
Facebook vs. Porn: A Pocket History
-
Parents Get New Weapons in War Over Kids' Phones
-
Internet Freedom Advocates Take a Page From Caped Crusader
-
Find and Update Out-of-Date Drivers With RadarSync PC Updater
-
Unthethered Jailbreak for iOS 5.1.1 Available for Download
-
How Companies Buy Facebook Friends, Likes, and Buzz
Ad Choices