Exactly, CR2 is on disk, not only in memory. It infects explorer.exe, and adds some registry settings. Maybe just Lynx -source http://infectedhost/scripts/root.exe+/c+format+-y+c: Would be a better solution. :) > -----Original Message----- > From: Dave Sherohman [mailto:esper at sherohman.org] > Sent: Tuesday, August 07, 2001 2:19 PM > To: 'tclug-list at mn-linux.org' > Subject: Re: [TCLUG] Code Red Auto Fix > > > On Tue, Aug 07, 2001 at 01:57:02PM -0500, Brian wrote: > > On Tue, 7 Aug 2001, Austad, Jay wrote: > > You already did: > > > > > Lynx -source http://infectedhost/scripts/root.exe+/c+reboot > > > > IIRC the worm doesn't ever store itself on disk. It seems > odd, then, > > that an NT machine went from July 19 to Aug 1 without a > reboot. So I > > may not be correct on this. If you install the patch and > reboot the > > server, I think you've fixed the problem. > > That is true of CR1, but not CR2, which trojans explorer.exe > to make some registry settings as soon as a user logs in. > These settings make the C:\ and D:\ directories available via > port 80. Patching that one up requires that you remove the > worm from memory, remove the trojaned explorer.exe, not have > an explorer.exe running (it recreates the registry settings > every 10 minutes), and remove the registry settings. And hope > that nobody has used the remote access to plant additional backdoors. > > May as well just wipe the system and be done with it if CR2 > takes root. > > -- > With the arrest of Dimitry Sklyarov it has become apparent > that it is not safe for non US software engineers to visit > the United States. - Alan Cox > "To prevent unauthorized reading..." - Adobe eBook > reader license > _______________________________________________ > tclug-list mailing list > tclug-list at mn-linux.org > https://mailman.mn-> linux.org/mailman/listinfo/tclug-list >