-Caveat Lector- Code Red Worm InfoSec Bulletin http://www.digitalisland.net/codered/ As a service to the Internet community, Digital Island <http://www.digitalisland.net/> is providing global access to these consensus step-by-step instructions for eliminating the Code Red worm vulnerability. The information provided here is from the SANS Institute. In addition, we are making available the SANS Institute's short course audio <http://www.digitalisland.net/codered/CodeRed.mp3>, PPT <http://www.digitalisland.net/codered/CodeRed.ppt>, and PDF <http://www.digitalisland.net/codered/CodeRed.pdf> on how to eliminate the problem in Microsoft's IIS web server that makes Windows NT and Windows 2000 systems vulnerable to the Code Red worm. Code Red has already infected more than 300,000 Windows servers and, on July 19th, caused major degradation of the Internet. It will begin a new infestation on Tuesday evening, July 31. Anyone who runs Windows 2000 or Windows NT may be infecting other users and hurting performance on the Internet (Windows 95, 98, and ME users are unaffected). Patching your system to keep it from being infected is critically important. Follow this easy three-step process for protecting your computer if you are running IIS version 4 or 5 on your computer, and you have not yet installed the Code Red patch. To execute this process, you must be logged onto your computer's administrator account, or an account that has administrative privilege on your computer. To determine whether you are running IIS, Launch Task Manager (an easy way to do that is to hit CTRL, ALT, and DEL keys at the same time, and then click on 'Task Manager' in the dialogue box) Go to Processes Tab and look for Inetinfo.exe in the image name column. If it is there, you are running IIS and need to install the necessary patch. If not, you are not running IIS and no further action is required. If you find you are running IIS 4.0 or 5.0, then do the following: Step 1. Download the patch from Microsoft 1.1 Create a folder anywhere on your hard drive and name it Microsoft-patches so you'll have a place to store this patch and future patches 1.2 Windows 2000 and Windows NT have separate patches. Select the appropriate one and save the file in the folder you created in Step 1.1. . Windows NT version 4.0: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30833 . Windows 2000 Professional, Server and Advanced Server: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30800 Step 2. Install the patch 2.1 Double click in Windows Explorer. You may find Windows Explorer behind the Start button or somewhere on the Programs menu. 2.2 Go to the Microsoft-patches folder you created in Step 1.1 2.3 Find the patch: In Windows NT, the patch is named simply: Q300972i.exe In Windows 2000, it is called: q300972_w2k_sp3_x86_en.exe 2.4 Double click on the patch program 2.5 When it has finished, you will see a small pop-up that shows your system has been updated: http://www.digitalisland.net/codered/CodeRed-Step2.jpg Step 3. Reboot your system to clear the worm from RAM By rebooting you not only activate your patch, but you also clean out the worm if you had been previously infected . Optional verification step: If you want to see whether your system has been patched correctly, open a command prompt (from the Start menu, click Run). Then run the patch program from the command line (include its folder in the command) and use the -L "dash L" switch. Running this command will give you a listing of all the hot fixes that are installed on your machine. If the patch was installed successfully, you'll see its name in the list. http://www.digitalisland.net/codered/CodeRed-Step3.jpg Additional Resources Additional information about the patch and its installation, and the vulnerability it addresses is available at: htt p:/ /ww w.m icr oso ft. com /technet/treeview/default.asp?url=/technet/security/bulletin/MS01-033.asp. If you are concerned that damage may have been done to your system by the worm, you may wish to follow the recovery procedures documented at: http://www.cert.org/tech_tips/root_compromise.html. PLEASE NOTE: The patches can be installed only on Windows 2000 and Window NT 4.0 systems that have had recent service packs installed. If your system does not already have the required service pack, the patch installation will produce an error message advising you that the patch will not install on your system. For free download of Windows 2000 Service Pack 2, go to http://www.microsoft.com/windows2000/downloads/servicepacks/sp2/default.asp. For free download of Window NT 4.0 Service Pack 6a, go to http://www.microsoft.com/ntserver/nts/downloads/recommended/SP6/allSP6.asp. If you have problems installing the patch, contact Microsoft product support at [EMAIL PROTECTED] Questions related to installation and support of all security patches are handled without charge. The SANS Institute has also set up an email question and answers service staffed by GIAC certified Windows 2000 security professionals from all over the world. You may send them questions at [EMAIL PROTECTED] Please do not use this service for anything other than Code Red patch installation problems. The short course is 30 minutes long and answers four questions: What does the Code Red worm do, and who is vulnerable to it? How can you rid yourself of the vulnerability used by the worm? How can you block similar attacks - even those the hackers have not yet discovered? What else can you do to keep your system safe? Taking the Free Course The class is taught by Jason Fossen, the top-rated Windows security teacher in the United States. This brief program is a subset of his award-winning five-day certification course on Securing Windows, presented by the SANS Institute. To watch the short course, download the audio and slide files: Audio File (MP3) Slides (PDF) Slides (PowerPoint) A word from SANS: "The SANS Institute is indebted to Digital Island for this public service. We asked for Digital Island's help because it has continually set the standard for providing its customers with trusted Internet connectivity -- from both a performance and a security perspective." Alan Paller Director of Research, The SANS Institute About SANS SANS is a cooperative research and education organization through which more than 12,000 professionals maintain state of the art security skills each year and through which 125,000 other security and networking professionals share the challenges they face and the solutions they discover. Information about education programs and free digests: www.sans.org Copyright Digital Island <A HREF="http://www.ctrl.org/";>www.ctrl.org</A> DECLARATION & DISCLAIMER ========== CTRL is a discussion & informational exchange list. Proselytizing propagandic screeds are unwelcomed. Substance�not soap-boxing�please! These are sordid matters and 'conspiracy theory'�with its many half-truths, mis- directions and outright frauds�is used politically by different groups with major and minor effects spread throughout the spectrum of time and thought. That being said, CTRLgives no endorsement to the validity of posts, and always suggests to readers; be wary of what you read. CTRL gives no credence to Holocaust denial and nazi's need not apply. Let us please be civil and as always, Caveat Lector. ======================================================================== Archives Available at: http://peach.ease.lsoft.com/archives/ctrl.html <A HREF="http://peach.ease.lsoft.com/archives/ctrl.html";>Archives of [EMAIL PROTECTED]</A> http:[EMAIL PROTECTED]/ <A HREF="http:[EMAIL PROTECTED]/";>ctrl</A> ======================================================================== To subscribe to Conspiracy Theory Research List[CTRL] send email: SUBSCRIBE CTRL [to:] [EMAIL PROTECTED] To UNsubscribe to Conspiracy Theory Research List[CTRL] send email: SIGNOFF CTRL [to:] [EMAIL PROTECTED] Om
