To resolve a CodeRed-II worm infection, you must address both the active memory payload and the persistent file-system backdoors it installs.
Because CodeRed-II modifies system files and creates a root-level vulnerability, simply rebooting the computer will not fix it (unlike the original Code Red). 1. Apply the Official Microsoft Patch
The worm spreads by exploiting an .ida buffer overflow vulnerability within Microsoft Internet Information Services (IIS) 4.0 and 5.0. Download and apply the Microsoft MS01-033 Security Patch.
Alternatively, update to a newer operating system or version of IIS where this legacy vulnerability does not exist. 2. Disinfect the System & Remove Backdoors
CodeRed-II installs a Trojan backdoor by copying the command interpreter (cmd.exe) into the web-accessible directories, giving remote attackers absolute root/administrator privileges.
Use the official Microsoft CodeRedII Disinfection Tool to automatically scan, neutralize, and clean up the malicious files.
Manual Removal: If choosing to clean manually, navigate to the web server’s scripts directories (typically \inetpub\scripts</code> and \progra~1\common~1\system\msadc</code>) and delete the unauthorized copies of root.exe and any modified versions of explorer.exe. 3. Terminate Active Processes
The worm creates multiple execution threads in memory to scan random IP addresses for new targets.
Reboot the machine immediately after applying the security patch.
This completely flushes the active worm out of the system’s temporary RAM. 4. Close Exploitable Script Mappings
If you cannot patch the system immediately, you can break the worm’s propagation path by disabling the specific file mappings it targets. Open the Internet Services Manager.
Go to the master properties of your Web Server, find the Home Directory application settings, and remove the .ida and .idq application mappings. Summary of Differences: Code Red vs. CodeRed-II Code Red (v1 / v2) CodeRed-II Primary Payload Web defacement & White House DoS Root-level Trojan backdoors (root.exe) Persistence Memory-only (Clears on reboot) Writes files to disk (Survives reboot) Target Scanning Completely random IP generation Biased toward local subnets to spread faster
If you are dealing with a heavily compromised legacy environment, let me know: What operating system and IIS version are running? Code Red Worm Invasion - GIAC Certifications
Leave a Reply