Interestingly, Code Red II has been programmed to spread more aggressively in China than anywhere else. This might be in relation to the Chinese references in the original worm.
The most important feature of Code Red II is that it installs a backdoor into systems it infects. As a result, any web surfer can now execute commands on any infected www site just by typing suitable URLs to the web location.
Below, a 'DIR' directory listing command has been executed. When a host gets infected it starts to scan for other hosts to infect.
It probes random IP addresses but the code is designed so that probing of neighbour hosts is more probable. If the infected system has the language set to Chinese the worm starts more aggressive scanning threads instead of The scanning runs for 24 hours after the infection 48 for Chinese machines and then the system is rebooted. There is a time limit in the code that will stop the worm on the 1st of October.
At that time it will reboot the machine and stop spreading. The installed trojan still remains in the system! The standard command interpreter 'cmd. The worm creates these files to both 'C:' and 'D:' drives if they exist. These copies of the 'cmd. SFC is responsible for checking the integrity of system files. This makes sure that even if the copies of 'cmd.
The first one fixes the vulnerability the worm uses to spread. The second one fixes the problem that makes Windows to run the trojanized 'explorer.
Both patches must be applied. Delete the line that contains the reference to the malware service. Make sure that you leave a blank line feed under the last legitimate entry that is listed, and then click OK. Notes about the Services table. All the entries in the Services table are valid entries, except for the items that are highlighted in bold. The highlighted, malicious entry that is supposed to resemble the first letter is a lowercase "L.
In a previous procedure, you noted the name of the malware service. In our example, the name of the malware entry was "Iaslogon. In Registry Editor, locate and then click the following registry subkey, where BadServiceName is the name of the malware service:. Right-click the subkey in the navigation pane for the malware service name, and then click Permissions. In the Advanced Security Settings dialog box, click to select both of the following check boxes:. Inherit from parent the permission entries that apply to child objects.
Include these with entries explicitly defined here. Replace permission entries on all child objects with entries shown here that apply to child objects. Press F5 to update Registry Editor. Note the path of the referenced DLL. Remove the malware service entry from the Run subkey in the registry. In both subkeys, locate any entry that begins with "rundll Delete the entry. Check for Autorun. Use Notepad to open each file, and then verify that it is a valid Autorun.
The following is an example of a typical valid Autorun. Set Show hidden files and folders so that you can see the file. In step 12b, you noted the path of the referenced. For example, you noted a path that resembles the following:. Click Tools , and then click Folder Options. Edit the permissions on the file to add Full Control for Everyone.
Click Everyone , and then click to select the Full Control check box in the Allow column. Delete the referenced. Turn off Autorun to help reduce the effect of any reinfection.
For more information, click the following article number to view the article in the Microsoft Knowledge Base:. If you are running Windows Vista or Windows Server , install security update Note Update and security update are not related to this malware issue. These updates must be installed to enable the registry function in step 23b. If the system is running Windows Defender, re-enable the Windows Defender autostart location.
To do this, type the following command at the command prompt:. To change this setting back, type the following command at a command prompt:. If, after you complete this procedure, the computer seems to be reinfected, either of the following conditions may be true:.
One of the autostart locations was not removed. For example, either the AT job was not removed or an Autorun. This malware may change other settings that are not addressed in this article. To do this, type the following commands at the command prompt. To verify the status of the SvcHost registry subkey, follow these steps:. Send us feedback. Tell us about your experience. Published Apr 09, Updated Sep 15, Learn about other threats. This variant deletes its own executable on May 3 Microsoft strongly recommends that users apply the update referred to in Security Bulletin MS immediately.
Microsoft also recommends that users ensure that their network passwords are strong to prevent this worm from spreading via weak administrator passwords. More information is available here. Microsoft also recommends that users apply an update that changes the AutoPlay functionality in Windows to prevent this worm from spreading via USB drives.
What to do now Microsoft strongly recommends that users apply the update referred to in Security Bulletin MS immediately. Use the Microsoft Malicious Software Removal Tool , Microsoft Security Essentials , Microsoft Safety Scanner , or another up-to-date scanning and removal tool to detect and remove this threat and other unwanted software from your computer.
Note: Computers infected by Conficker may be unable to connect to Web sites related to security applications and services that may otherwise assist in the removal of this worm for example, downloading antivirus updates may fail. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information. Modified by: Byron Jon Gelera. File Size: 70, bytes.
0コメント