I know a few people complained to Symantec about the false positive results.
If eeye's tool tells you that your not vulnerable then you're not.
If you think that you have the trojan then run Microsoft's cleaner
(http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsoluti
ons/security/topics/codealrt.asp)
I went through this last week when I tested Symantec's tool on my test
boxes. It gave false positive results to machines that could not be infected
with Code Red. Whats funny is that not one of my NT test boxes came up with
a false positive, only the W2K servers. After seeing other posts and talking
to other admins, we determined that Symantec sucks and that they can shove
their tool up you know what.
~Seth
Zangara, Jim writes:
> Did the Eeye one when I patched it - showed not vulnerable then and does now
> - but what about this back door? Does this check for the back door that
> code red II might have left? The Symantec tool always says the server is
> not vulnerable and no trojans were present but the memory scan can come up
> with it present in memory almost 50% of the time - even immediately after a
> reboot.
>
> Man this sucks - If I ever get my hands on these code red A-Holes....
>
> Jim Zangara, MCSE+I
> Special Projects Engineer
> Premiere Radio Networks
> A Division of Clear Channel Communications
> 15260 Ventura Blvd Suite 500
> Sherman Oaks, CA 91403
> Direct: (818) 461-8620
> mailto:[EMAIL PROTECTED]
>
>
>
>
> -----Original Message-----
> From: Seth M. Kusiak [mailto:[EMAIL PROTECTED]]
> Sent: Saturday, August 18, 2001 1:55 PM
> To: NT System Admin Issues
> Subject: Re: Code Red Got me
>
>
> From the people who discovered Code Red:
> http://www.eeye.com/html/Research/Tools/codered.html
>
> qfecheck will tell you if your W2K patches are installed correctly:
>
> http://support.microsoft.com/support/kb/articles/q282/7/84.asp?LN=EN-US&SD=g
>
> n&FR=0&qry=qfecheck&rnk=19&src=DHCS_MSPSS_gn_SRCH&SPR=MSALL
>
> ~Seth
>
> Zangara, Jim writes:
>
>> Actually yes - that is what is giving me the positives.
>>
>> But the server is kinda funky anyway so a reinstall does not worry me
>> too much. I have been working with PSS for a couple of weeks on a
>> security problem with it as it is - I can't assign permissions graphically
> - only by
>> using calcs.
>>
>> Is there any other tool that I can test - any way to know for sure?
>>
>> An in place upgrade will most likely fix my PSS/Security problem but
>> if I am infected it would not help that.
>>
>> I just want to be sure!!!
>>
>> Jim Zangara, MCSE+I
>> Special Projects Engineer
>> Premiere Radio Networks
>> A Division of Clear Channel Communications
>> 15260 Ventura Blvd Suite 500
>> Sherman Oaks, CA 91403
>> Direct: (818) 461-8620
>> mailto:[EMAIL PROTECTED]
>>
>>
>>
>>
>> -----Original Message-----
>> From: Seth M. Kusiak [mailto:[EMAIL PROTECTED]]
>> Sent: Saturday, August 18, 2001 1:39 PM
>> To: NT System Admin Issues
>> Subject: Re: Code Red Got me
>>
>>
>> Your not using the Norton's FixCRed.exe are you? because if you are,
>> the
>> tool DOES NOT give accurate results.
>>
>> It told me that a server with IIS NOT EVEN INSTALLED was infected (in
>> memory). What a crappy tool.
>>
>> ~Seth
>>
>>
>> Zangara, Jim writes:
>>
>>> I know I patched this server but I am not taking any more chances.
>>>
>>> Hello Folks -
>>>
>>> It appears one of my servers got the backdoor worm - I can scan it
>>> sometimes and it shows clean and other times a memory scan shows an
>>> infection. There is no root.exe file anywhere on the server so I am
>>> not totally convinced but I prefer not to take chances.
>>>
>>> I have disabled the www service for now and am backing up my data. I
>>> am wondering if there is a way to recover my SAM database without
>>> running a risk of re-infection? I can recreate it but it would add
>>> hours to this and I would prefer not to. Since I do not know when the
>>> infection took place I am not sure of a reliable pre-infection backup so
> I
>> am not even going to
>>> attempt that route.
>>>
>>> Would an ERD made today have the SAM? Should I trust it if it does?
>>>
>>> The server is a P111 with 2 gigs of ram Win2k SP2 Sql 7 IIS 5 - web
>>> server - no standalone - no domain.
>>>
>>>
>>> TIA
>>>
>>> Jim
>>>
>>>
>>> http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
>>>
>>
>>
>> http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
>>
>>
>> http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
>>
>
>
> http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
>
>
> http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
>
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
