Security Incidents mailing list archives

Re: Method to Clean up IIS servers hit by CRv2

From: "Ralph Mellor" <ralph () dimp com>
Date: Mon, 6 Aug 2001 13:27:22 -0500

So far I've been doing the following:

1. Patch the server.

2. Remove root.exe from the web directories.

3. Remove explorer.exe from c: and/or d:

4. reboot.

My main question is do you need to mess with the registry keys that it
alters? Are these reset on reboot or do you need to set them to some
value? If so what values? Or delete them all together?


If you want to be sure the machine is clean you need to wipe it and
start from scratch.

Unlike CR1, CR2 leaves a back door, and you don't know what other
things have been done using that backdoor.


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Method to Clean up IIS servers hit by CRv2 dmuz (Aug 06)
- Re: Method to Clean up IIS servers hit by CRv2 Ralph Mellor (Aug 06)
- <Possible follow-ups>
- RE: Method to Clean up IIS servers hit by CRv2 Doug . Barbin (Aug 06)
- RE: Method to Clean up IIS servers hit by CRv2 Walling, Ken (Aug 07)