[ale] Code Red II!!! Disregard previous reply!!!

SAngell at nan.net SAngell at nan.net
Mon Aug 6 15:45:31 EDT 2001




Sorry about previous e-mail, somehow I clicked send without realizing what I was
doing.

I have been watching hits coming through trying to dump this payload all day. In
case anyone is running IIS out there. This second strand drops a backdoor trojan
onto your IIS 4 or 5 server and the taletell sign will be a file called
ROOT.EXE which will be dropped into one or two places, perhaps both:
\inetpub\scripts
and or
\program files\common files\system\msadc

Here's the trick. If you can delete this file then you are ok that means the
trojan has not be used. If however you cannot delete the file ROOT.exe then the
trojan has been executed and only a full re-install will solve your porblems.
(You gotta love Windows!)


Apply the fixes:

For IIS 4:

http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30833

For IIS 5

http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30800

If this helps anyone, GREAT. If you are all running Web servers other than IIS,
pray for me.

Steve Angell,  MCSE, CCNA
MIS Operations Manager
TSYS Total Debt Management
Phone 770-409-5570
Fax      770-416-1752


|--------+------------------------>
|        |          "Transam at cavu.|
|        |          com" <transam |
|        |                        |
|        |          08/06/01 03:18|
|        |          PM            |
|        |                        |
|--------+------------------------>
  >--------------------------------------------------------|
  |                                                        |
  |      To:     ale at ale.org                               |
  |      cc:     (bcc: Steve Angell/tdm)                   |
  |      Subject:     [ale] Code Red II                    |
  >--------------------------------------------------------|





>From the AJC (but useful anyway, IMO)...

NATIONAL TECH NEWS . . .

NEW WORM DUBBED CODE RED II
   A new worm, aping the injection vector of the now infamous Code Red worm
but carrying a much more dangerous payload, was found Sunday, according to
security firms Security Focus and eEye Digital Security.
http://www.ajc.com/business/ap/codered2.html

NEW CHIEF AT GOOGLE
   Web search operation Google Inc. named the former CEO of Novell Inc. as
its chief executive, succeeding 28-year-old Larry Page, one of the site's
founders. The privately held Mountain View, Calif.-based company selected
Eric E. Schmidt, 46, who had been appointed chairman of Google's board of
directors last March. Page will become products president, and co-founder
Sergey Brin, 27, will become technology president.

Kind of scary that I knew Eric Schmidt when we both were students
at Berkeley.  It's rare that an engineer hits the big time.  --Bob

Bob Toxen
transam at cavu.com                       [Bob's ALE Bulk email]
bob at cavu.com                           [Please use for email to me]
--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.



--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.





More information about the Ale mailing list