Code Red Recovery Instructions

Code Red I

To remove the worm from machines infected with the original

Code Red worm (Code Red I):

1.  Apply the latest Microsoft service pack and all relevant

security hotfixes, in that order.  Service packs must be applied

before hotfixes since service packs will sometimes overwrite previously

applied hotfixes.  Please use the Microsoft hotfix checker to identify all

security-critical hotfixes.  Download and installation instructions for the

hotfix checker are available at:

http://support.microsoft.com/support/kb/articles/q303/2/15.asp

In particular, be sure to apply the following hotfixes:

     a.)  Microsoft hotfix for the IIS ida/idq vulnerability.

     This is the vulnerability that Code Red exploits:

     http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutions/security/topics/codealrt.asp

     b.)  Microsoft hotfix for the IIS Directory traversal vulnerability.

     This is the vulnerability that the IIS/sadmind worm exploits.

     Information on the relevant hotfixes is available at:

     http://www.cert.org/advisories/CA-2001-11.html

2.) Reboot the machine.   This is necessary to remove the

worm from memory.

For further information on detecting and patching Code Red, see

http://www.incidents.org/react/code_red.php

Code Red II

To remove the worm from machines infected with the newer

Code Red II worm:

1.)  Re-build the system from original media.  Do not try to use

worm removal tools, since they cannot remove backdoors

added subsequent to infection.

2.  Apply the latest Microsoft service pack and all relevant

security hotfixes, in that order.  Service packs must be applied

before hotfixes since service packs will sometimes overwrite previously

applied hotfixes.  Please use the Microsoft hotfix checker to identify all

security-critical hotfixes.  Download and installation instructions for the

hotfix checker are available at:

http://support.microsoft.com/support/kb/articles/q303/2/15.asp

In particular, be sure to apply the following hotfixes:

     a.)  Apply the Microsoft hotfix for the  IIS ISAPI ida/idq vulnerability.

     This is the vulnerability that Code Red exploits:

     http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutions/security/topics/codealrt.asp

     b.)  Apply the Microsoft hotfix for the IIS Directory traversal vulnerability.

     This is the vulnerability which the IIS/sadmind worm exploits.

     Information on the relevant hotfixes is available at:

     http://www.cert.org/advisories/CA-2001-11.html

For more information on detecting Code Red II, see:

http://www.incidents.org/react/code_redII.php

Getting help

Faculty and staff: Contact your local support provider. A directory is available (www.upenn.edu/computing/view/support/). Contact First Call at 215-573-4778 or send e-mail to help@isc.upenn.edu to request a referral if you are not sure who to contact.

Students in the College Houses and Mayer Hall: Contact the College House Computing program (www.rescomp.upenn.edu/) by filling out an online help request form. A list of houses and links to request forms are available.

Students living off-campus, in Sansom East and West, or in a fraternity or sorority house: Contact First Call at 215-573-4778 or send e-mail to help@isc.upenn.edu. Walk-in assistance is also available at the Computing Resource Center (CRC) (www.upenn.edu/computing/isc/csg/) (Sansom Place West, 3650 Chestnut St., Suite 202). The CRC is open Monday through Friday, from 2:00 PM to 4:30 PM.

For more information on where to go for computing support services, check the Support Look-up Table (www.upenn.edu/computing/view/support/). You can also contact First Call at 215-573-4778 for a referral.

For information about using Internet applications, see the Computing Publications and Documentation page (www.upenn.edu/computing/help/doc/).

---

Please note: This material is no longer current and appears online for archival purposes only. Use the search and navigation tools above to locate more up-to-date materials, if they exist.

---

Please note: This material is no longer current and appears online for archival purposes only. Use the search and navigation tools above to locate more up-to-date materials, if they exist.