'*********************************************************************************** ' Script Name: AntiCodeRed2.vbs ' Version: 1.9 ' Author: Jason Fossen, The SANS Institute 'Last Updated: 8/22/01 ' Purpose: Reverse out changes made by Code Red 2 worm on IIS 5.0 servers. ' Usage: The script is independent of CSCRIPT.EXE or WSCRIPT.EXE, so it can ' be simply double-clicked or run from the command-line. Use the ' "/?" switch at the command-line to get more options. ' Notes: This script is part of the 5-day "Securing Windows" series of ' seminars provided by the SANS Institute (www.sans.org). ' Keywords: IIS, Code Red, CodeRed2, worm, SANS, Fossen ' Legal: 0BSD. '*********************************************************************************** ' Details: This script can do the following, depending on options selected: ' Prompt the user with a GUI pop-up dialog box to automatically ' print on the default printer information about patch URLs, etc. ' Give the user an easy-to-read summary of "Worm Signs" remaining, i.e., ' the user should see "Worm Signs Count = 0" when the script is done. ' Back up the metabase before any changes are made to it. ' Delete c:\explorer.exe ' Delete d:\explorer.exe ' Delete c:\Inetpub\scripts\root.exe ' Delete d:\Inetpub\scripts\root.exe ' Delete c:\progra~1\common~1\system\MSADC\root.exe ' Delete d:\progra~1\common~1\system\MSADC\root.exe ' Delete any /C or /D virtual IIS folders from registry. ' Delete any /C or /D virtual IIS folders from metabase, ' by enumerating through all installed websites, no limit. ' Reset the default permissions on /Scripts and /MSADC in ' every website enumerated. The script does not simply ' delete the mappings because people are using them! Besides, ' a fix is supposed to return a box to its configuration ' before the infection, not re-configure the box. ' Resets the SFCDisable registry value to its default (0, or "On") ' but only if it had been set to 0xFFFFFF9D. There are ' legitimate reasons to sometimes change the default, so this ' script will not override the user's decision to change the default. ' Write an event to the Application event log with results summary. ' Write to standard-out a summary of results (can be redirected). ' Supports a "/silent" command-line switch suitable for Group Policy use. ' Supports a "/disable" switch to stop and disable the IIS service. '*********************************************************************************** On Error Resume Next '*********************************************************************************** ' sPatchInfo displays instructions and URLs to patches. '*********************************************************************************** sPatchInfo = vbCrLf & vbCrLf sPatchInfo = sPatchInfo & "Code Red II Information and Patches:" & vbCrLf sPatchInfo = sPatchInfo & "------------------------------------------" & vbCrLf sPatchInfo = sPatchInfo & "At a minimum, you must obtain two patches from Microsoft in order to" & vbCrLf sPatchInfo = sPatchInfo & "defend your servers against the Code Red worm, version 2 and earlier." & vbCrLf sPatchInfo = sPatchInfo & "These patches are free and easy to install. The URL's below give" & vbCrLf sPatchInfo = sPatchInfo & "instructions and additional information. You can also visit" & vbCrLf sPatchInfo = sPatchInfo & "http://www.digitalisland.com/codered/ for more information and help," & vbCrLf sPatchInfo = sPatchInfo & "including a free 30-minute PowerPoint presentation with audio." & vbCrLf sPatchInfo = sPatchInfo & " " & vbCrLf sPatchInfo = sPatchInfo & " " & vbCrLf sPatchInfo = sPatchInfo & "PATCH ONE: " & vbCrLf sPatchInfo = sPatchInfo & " http://www.microsoft.com/technet/security/bulletin/MS01-044.asp" & vbCrLf sPatchInfo = sPatchInfo & " Microsoft Security Bulletin MS01-044" & vbCrLf sPatchInfo = sPatchInfo & " Cumulative Patch for IIS" & vbCrLf sPatchInfo = sPatchInfo & " " & vbCrLf sPatchInfo = sPatchInfo & "PATCH TWO:" & vbCrLf sPatchInfo = sPatchInfo & " http://www.microsoft.com/technet/security/bulletin/MS00-052.asp" & vbCrLf sPatchInfo = sPatchInfo & " Microsoft Security Bulletin MS00-052" & vbCrLf sPatchInfo = sPatchInfo & " Patch Available for Relative Shell Path Vulnerability" & vbCrLf sPatchInfo = sPatchInfo & " " & vbCrLf sPatchInfo = sPatchInfo & " " & vbCrLf sPatchInfo = sPatchInfo & "INSTRUCTIONS:" & vbCrLf sPatchInfo = sPatchInfo & "1) Disconnect server from the Internet immediately." & vbCrLf sPatchInfo = sPatchInfo & "2) Obtain both of the above patches." & vbCrLf sPatchInfo = sPatchInfo & "3) Run script on server." & vbCrLf sPatchInfo = sPatchInfo & "4) Reboot server." & vbCrLf sPatchInfo = sPatchInfo & "5) Apply both patches, rebooting as necessary, but reboot at least" & vbCrLf sPatchInfo = sPatchInfo & " once after both patches have been applied." & vbCrLf sPatchInfo = sPatchInfo & "6) Run script again." & vbCrLf sPatchInfo = sPatchInfo & "7) Reboot again." & vbCrLf sPatchInfo = sPatchInfo & "8) Run script again. It should report ""Worm Sign Count = 0""" & vbCrLf sPatchInfo = sPatchInfo & "9) Update your virus definition file for your virus scanner." & vbCrLf sPatchInfo = sPatchInfo & " " & vbCrLf sPatchInfo = sPatchInfo & "IMPORTANT:" & vbCrLf sPatchInfo = sPatchInfo & "Do not forget that you are choosing to ATTEMPT to clean your server" & vbCrLf sPatchInfo = sPatchInfo & "of all worms, Trojan Horses, and other hostile software. If an" & vbCrLf sPatchInfo = sPatchInfo & "attacker has already executed commands on your server through the" & vbCrLf sPatchInfo = sPatchInfo & "Trojan installed by Code Red, then this script and the above patches" & vbCrLf sPatchInfo = sPatchInfo & "will NOT secure your server. By not reformatting your hard drives" & vbCrLf sPatchInfo = sPatchInfo & "and reinstalling, you are essentially BETTING your server and your" & vbCrLf sPatchInfo = sPatchInfo & "network's security against the odds that you have not been further" & vbCrLf sPatchInfo = sPatchInfo & "compromised by other attackers or worms that are using the Trojan" & vbCrLf sPatchInfo = sPatchInfo & "installed by Code Red. THE RESPONSIBILITY IS YOURS." & vbCrLf sPatchInfo = sPatchInfo & " " & vbCrLf sPatchInfo = sPatchInfo & "LEGAL:" & vbCrLf sPatchInfo = sPatchInfo & "The SANS Institute provides no warranties or guarantees of the " & vbCrLf sPatchInfo = sPatchInfo & "effectiveness of this script or the procedures and patches" & vbCrLf sPatchInfo = sPatchInfo & "discussed above. This script is provided as a free convenience" & vbCrLf sPatchInfo = sPatchInfo & "to the IT community. The SANS Institute cannot and does not" & vbCrLf sPatchInfo = sPatchInfo & "accept liability for your decisions concerning how to best cope" & vbCrLf sPatchInfo = sPatchInfo & "with the threat and damage caused by Internet worms and viruses." & vbCrLf sPatchInfo = sPatchInfo & "Nor do we have the unlimited resources necessary to provide" & vbCrLf sPatchInfo = sPatchInfo & "technical support for all the possible different configurations" & vbCrLf sPatchInfo = sPatchInfo & "which may cause the script to fail. When in doubt, reformat drives." & vbCrLf sPatchInfo = sPatchInfo & "Good luck, and best wishes." & vbCrLf '*********************************************************************************** ' sUsageInfo is the Help and Legal page. '*********************************************************************************** sUsageInfo = vbCrLf sUsageInfo = sUsageInfo & "AntiCodeRed2.vbs (v.1.9) Written by Jason Fossen, The SANS Institute" & vbCrLf sUsageInfo = sUsageInfo & " " & vbCrLf sUsageInfo = sUsageInfo & "CSCRIPT.EXE AntiCodeRed2.vbs [/