CodeRed Removal Tool

SUMMARY

The CodeRed removal tool provides the CodeRed I and II removal, including CodeRed.F, and performs the vulnerability assessment of your computer. Symantec is providing what it believes to be a safe, reliable, and secure utility to remove the effects of a CodeRed infection.

To obtain and run the tool:

1. Go to http://www.sarc.com/avcenter/FixCRed.exe.
2. Download the FixCRed.exe file to a convenient location, such as your download folder or the Windows desktop.
3. To check the authenticity of the digital signature, refer the section The digital signature.
4. Close all programs before running the tool, including any on-demand scanners (such as NAV Auto-Protect).
5. Double-click the FixCRed.exe file to start the removal tool.
   
   NOTE: If you downloaded the tool to a floppy disk and you want to run it from the floppy disk, see the section How to run the tool from a floppy disk at the end of this document for special instructions.
   
6. Click Start to begin the process, and then allow the tool to run.
7. Re-enable Auto-Protect.

NOTES:

• The removal tool scans for CodeRed I and II on Windows 2000 only. However, it will detect and remove the Trojan.VirtualRoot in all versions of Windows.
• When the procedure is finished, the removal tool may detect that you have open shares. The tool will remove the open shares automatically.

When the tool has finished running, you will see a message indicating whether the computer was infected by the CodeRed worm or the Trojan.VirtualRoot. It will also display a message if your computer is vulnerable to reinfection. If CodeRed was detected in memory or if the computer is vulnerable, the tool will open the default Web browser and load the Microsoft page that contains the patch. The tool will not scan for the Trojan.VirtualRoot until the patch is applied.
In the case of a Trojan.VirtualRoot removal, the program displays the following results:

• The total number of scanned files
• The number of deleted files
• The number of terminated viral processes

What the tool does
The tool does the following:

1. It scans memory for the presence of all known CodeRed variants.
2. It performs a vulnerability assessment of the computer. If the computer is vulnerable, the tool opens the Web browser and loads the Microsoft page that contains the patch.
3. It attempts to terminate the CodeRed and Trojan.VirtualRoot processes.
4. It scans and deletes the Trojan.VirtualRoot files dropped by CodeRed II.
5. It removes the IIS mappings for /Scripts or /MSADC and restores the System File Checker.
6. It deletes the following four files, if they exist:
   • C:inetpubScriptsRoot.exe
   • D:inetpubScriptsRoot.exe
   • C:progra~1Common~1SystemMSADCRoot.exe
   • D:Progra~1Common~1SystemMSADCRoot.exe
7. It detects and automatically removes the open shares created by the Trojan.VirtualRoot.
8. It deletes the values /MSADC and /Scripts from the registry to prevent them from being placed in the IIS Metabase if they did not exist already. If these values existed already, then the deletion is harmless, because IIS will restore the default values.
9. It logs its activity in the file FixCRed.log. This file is stored in the same folder as the tool.
   

NOTE: You must have Administrator-level privileges to let the tool unmap the virtual roots that were created by the worm from the IIS metabase.

The digital signature
FixCRed.exe is digitally signed. Symantec recommends that you only use copies of FixCRed.exe that have been downloaded directly from the SARC download site. To check the authenticity of the digital signature, follow these steps:

1. Go to http://www.wmsoftware.com/free.htm
2. Download and save the Chktrust.exe file to the same folder where you saved FixCRed.exe, for example, C:Downloads.
3. Click Start, point to Programs, and click MS-DOS Prompt.
4. Change to the folder where FixCRed.exe and Chktrust.exe are stored, and then type:
   
   chktrust -i FixCRed.exe
   
   For example, if you saved the file to the C:Downloads folder, here is how to get to that folder and enter the command:
   
   cd
   cd downloads
   chktrust -i FixCRed.exe
   
   Press Enter after typing each command.
   
5. If the digital signature is valid, you will see the following prompt:
   
   Do you want to install and run "FixCRed.exe" signed on 9/5/2001 8:42 AM and distributed by Symantec Corporation.
   
   NOTES:
   • The date and time that are displayed in this dialog box will be adjusted to your time zone if your computer is not set to the Pacific time zone.
   • If you are using Daylight Saving Time, the time that is displayed will be exactly one hour earlier.
   • If this dialog box does not appear, there are two possible reasons:
     • The tool is not from Symantec. Unless you are sure that the tool is legitimate, and that you downloaded it from the legitimate Symantec Web site, you should not run it.
     • The tool is from Symantec, and is legitimate. However, your operating system was previously instructed to always trust content from Symantec. For information on this, and how to view the confirmation dialog again, read the document How to restore the Publisher Authenticity confirmation dialog box.
6. Click Yes to close the dialog box.
7. Type exit and then press Enter. This ends the MS-DOS session.

How to run the tool from a floppy disk

1. Insert the floppy disk that contains the FixCRed.exe file into the floppy disk drive.
2. Click Start, and click Run.
3. Type the following, and then click OK:
   
   a:FixCRed.exe
   
4. Click Start to begin the process, and then allow the tool to run.