search  current discussion  categories  technology - internet 

e-mail problem possible explanation--code red ii

updated thu 9 aug 01

 

Steve Mills on wed 8 aug 01


Further to Fabienne's comments my ISP issued a bulletin on that subject
this morning. I have quoted relevant sections of it below:

>This is a new variant, which installs a 'backdoor' allowing any
other person to take remote control of the system affected.

This new variant, becoming known as Code Red II, began
circulating over the weekend. It attacks installations of
IIS (web server) on Windows NT and 2000 - on the latter, IIS
is often installed by default, often without the user realising
it, so it is essential to carefully investigate to determine
whether you are vulnerable. The attack relies upon the same
security hole, as Code Red so systems which have been patched
prior to August 1st., as previously recommended, are not believed
to be vulnerable to this variant.

Details of the worm are available at:

http://www.incidents.org/react/code_redII.php

Most current virus scanning tools can now detect this worm.

The patch for the vulnerability is available from Microsoft at:

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/se
curity/bulletin/MS01-033.asp

This is the same patch as needed to secure from Code Red since
the same mechanism is used. If you have already applied this, it
does not need applying again.

This new variant can NOT be cleaned simply by rebooting. It
installs the 'backdoor', allowing others complete control of
your system and it ensures that the backdoor will stay on the
system.<

They then recommend that:

>that ALL CUSTOMERS running Windows 2000 or NT
check to see if they are running a Web Server even if they do
not believe they are. We reiterate that IIS is installed by
many configurations of Windows 2000 by default without the user
being aware of this.

This can be done on most versions of Windows by opening a
'DOS Box' (also known as 'MS-DOS Prompt' or 'command prompt')
and typing the command:

netstat -an | more

Any entry with ':80' in the 'local' column means you are running
a web server.

At present there appears to be little advice available on
removing this worm from an infected system. Most authorities on
the matter appear to be suggesting a complete reformat and
re-installation as the best method, since it is impossible to
determine what has been done through the planted 'backdoor'.<

End of quotes

Steve
Bath
UK



In message , Fabienne Micheline Cassman
writes
>I see a lot of people mentioning they have e-mail delivery problems. The=
>re
>is a new virus, code red II, that hit the market place and Microsoft was
>still working on the patch for email server last night (8/6), ie there is
>no protection from it yet from a server's standpoint. I suspect John
>Mottl, our list tech. admin, is having a field trip over this right
>now. Update your virus scan files, they are available. It could be that
>your provider is wrestling with this issue. Just a thought :)
>
>Fabienne
>--
>Milky Way Ceramics http://www.milkywayceramics.com/
>
> Yes, I have learned from my mistakes...
> I can reproduce them exactly.

--
Steve Mills
Bath
UK