Code Red II: Bon sang d' bonsoir !!!

[karymka]

Alors les mecs bien ou quoi ?!

Bref, moi mon PC va mal !!!

Bah oui j'ai attrapé Code Red II cette pourriture sur Kazaa.

Mon Antivirus Bitdefender le remarque bien mais ne le degage pas !!

J'ai pris des Antitrojans (Antitrojan 5.5, Antitrojan First Aid Kit) rien a faire!!!

Bref qui connait un bon Antitrojan, voir un Antivirus qui pourra me defaire de ce sale truc...

Serieux les mecs assurés !! Vous savez ce qu'il a fait ce sale virus de m...rd !!! Il a infecté mon explorer (oui,oui le explorer.exe). La galere, qu'il fait c'est que je bug grave !!

 

ma config:win2000 pro.

 

a vous de jouer...

[Y@kuz@]

Yo

l'outil pour remove =>

http://www.symantec.com/avcenter/venc/data...moval.tool.html

 

[b)Or Manual removal|/b]

 

To remove this worm manually, you must apply the needed Microsoft patches, remove files, make several other changes, and then edit the registry. Please follow all instructions in the order shown.

 

To obtain the patches:

This is very important. Do not skip this step.

 

Download, obtain and apply the patch from the following Web site:

 

http://www.microsoft.com/technet/security/...in/MS01-033.asp

 

Alternatively, you can download and install the cumulative patch for IIS, which is available at:

 

http://www.microsoft.com/technet/security/...in/MS01-044.asp

 

To remove the worm files:

 

1. Terminate the current process associated with the dropped Trojan (NAV detects this as Trojan.VirtualRoot):

a. Press Ctrl+Alt+Delete, and click Task Manager.

b. Click the Processes tab.

c. Click the Image Name column heading to sort the processes alphabetically. You should see two processes named Explorer.exe: one of them is legitimate, the other is the Trojan.

d. To ensure that the correct process is terminated, click View and then click "Select Columns...."

e. Check the "Thread Count" box, and then click OK.

f. A new column will appear in the Task Manager that lists the current number of threads associated with each process. (You may have to scroll to the right to see it.)

g. Of the two Explorer.exe processes, click the one that has only one thread.

h. Once selected, click End Process. A warning message appears.

i. Click Yes to terminate the process.

j. Click File, and then click Exit Task Manager.

 

2. Next you must delete the Explorer.exe files that were created on the infected system. These files have the hidden, system, and read-only attributes.

a. Click Start, and then click Run.

b. Type the following, and then press Enter:

 

cmd

 

c. Type the following lines, and press Enter after each one:

 

cd c:\

attrib -h -s -r explorer.exe

del explorer.exe

 

This will change to the root directory, remove the attributes, and delete the Trojan from drive C.

 

d. Type the following, and then press Enter:

 

d:

 

This will change the focus to drive D if it exists. (If there is no D drive, skip to step f.)

 

e. Type the following lines, and press Enter after each one:

 

cd d:\

attrib -h -s -r explorer.exe

del explorer.exe

 

f. Type the following, and then press Enter:

 

exit

 

3. Using Windows Explorer, delete the following four files if they exist (They are simply copies of the file %Windir%\root.exe):

C:\Inetpub\Scripts\Root.exe

D:\Inetpub\Scripts\Root.exe

C:\Progra~1\Common~1\System\MSADC\Root.exe

D:\Progra~1\Common~1\System\MSADC\Root.exe

 

4. You must now open the Computer Manager to remove open shares on the Web server. To do this, right-click the My Computer icon on the desktop and then click Manage

 

 

The Computer Management window appears.

 

5. In the left pane, navigate to \Computer Management (local)\Services and Applications\Default Web Site.

6. In the right pane, right-click on the drive C icon and then click Delete. Repeat this step for any other drives that are listed under the Default Web Site.

 

7. Go on to the next section..

 

To edit the registry:

 

CAUTION: We strongly recommend that you back up the system registry before you make any changes. Incorrect changes to the registry could result in permanent data loss or corrupted files. Please make sure that you modify only the keys that are specified. Please see the document How to back up the Windows registry before you proceed.

 

1. Click Start, and click Run. The Run dialog box appears.

2. Type regedit and then click OK. The Registry Editor opens.

3. Navigate to the key

 

HKEY_LOCAL_MACHINE\System\CurrentControlSet\

Services\W3SVC\Parameters\Virtual Roots

 

In the right pane you will see a several values. Two of these values can be deleted as they were created by CodeRed II. Others must be changed.

 

4. Select the value

 

/C

 

5. Press Delete, and then click Yes to confirm.

6. Select the value

 

/D

 

7. Press Delete, and then click Yes to confirm.

8. Double-click the value

 

/MSADC

 

9. Delete only the digits 217 from the current value data and replace them with the digits 201, and then click OK.

 

10. Double-click the value

 

/Scripts

 

11. Delete only the digits 217 from the current value data and replace them with the digits 201, then click OK.

 

NOTE: The CodeRed Removal tool deletes the /MSADC and /Scripts entries from the registry completely. After using the tool, upon restarting IIS, these entries will be recreated with the proper values.

 

12. Do one of the following:

If this is not a Windows 2000 system, skip to step 16.

If this is a Windows 2000 systems, go on to step 13.

 

13. Navigate to the key

 

HKEY_LOCAL_MACHINE\Software\Microsoft\

Windows NT\CurrentVersion\WinLogon

 

14. In the right pane, double-click the value

 

SFCDisable

 

15. Delete the current value data, and then type 0 (That is the number zero, not the letter "O"). Click OK.

16. Exit the Registry Editor.

17. Restart the computer to ensure that CodeRed II has been properly removed.

 

 

 

 

 

Additional information:

 

Once a computer has been attacked by CodeRed II, it is very difficult to determine what else it has been exposed to. Most likely an infected system will not yet have been further compromised. However, some of these computers have now been made vulnerable to attack, allowing for the possibility that other malicious activities have been executed. Unless--by reading the logs--you can be absolutely sure that nothing else malicious has been done to the computer, it may be best to completely reinstall the system. This way you can be 100 percent sure that the computer is clean.

 

 

 

 

 

Write-up by: Peter Szor and Eric Chien

 

source : Source

 

merci google et le copier coller , si j'étais toi je prendrais l'outil automatique pour le shooter

Modifié le 13 avril 2003 par Y@kuz@