1) The www.worms.com website is not down.
2) The www.worms.com website has absolutely nothing to do with the "Code Red" worm.
3) The "Code Red" worm does not connect to or redirect to the www.worms.com website.
Patch your server:
1) If you are not using the .idq extention, you should have removed the mapping
directly after the installation of IIS.
2) If for some reason you were too lame to do so or you are using the .idq extention,
you should have installed the patch over a month ago.
3) If for some reason you were too lame to do so, install the patch from Microsoft and
reboot your server. Rebooting will effectively kill the worm, as it's only stored in
memory. The patch will prevent your system from being infected again.
4) For extra security, create a file "c:\notworm" (no extention). The worm checks for
this file, and if present ceases to function. (Does not infect other machines and does
not deface the sites on the server).
--
Regards,
Terrence Koeman
Technical Director/Administrator
MediaMonks B.V. (www.mediamonks.nl)
Please quote all replies in correspondence.
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of NetQuick Mail
> Administrator
> Sent: Friday, July 20, 2001 21:57
> To: [EMAIL PROTECTED]
> Subject: Re: [IMail Forum] IIS 5 - Chinese Worm
>
>
> That website has been taken down by the service provider.
>
> Kevin Childers
>
> It's like I've always said, "You can get
> more with a kind word and a two by four,
> than you can get with just a kind word."
>
>
> ----- Original Message -----
> From: "T. Bradley Dean" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Thursday, July 19, 2001 9:15 PM
> Subject: RE: [IMail Forum] IIS 5 - Chinese Worm
>
>
> >My question is, the patch updates idq.dll. How did this get rid of the
> redirection to the www.worms.com page?
>
> It didn't. Rebooting gets rid of the worm, it's only stored in memory. But
> the patch is needed so you don't get the worm back in a few hours.
>
>
> ~Brad
> -----Original Message-----
> From: Adrian Henderson
> [mailto:[EMAIL PROTECTED]]On Behalf
> Of Adrian Henderson
> Sent: Thursday, July 19, 2001 4:39 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [IMail Forum] IIS 5 - Chinese Worm
>
>
> I was hit too, but I have many questions as to how it started and works?
>
> I applied the patch and I can now get into my exchange server OWA.
>
> The thing is, we have 7 web services running on iis5, the default doesn't
> have a web page in it, but exchange 2000 runs off of it in a subdir, thats
> how we found out we got hit. The thing is, that it doesn't
> affect other web
> sites running on that server, except for the default so it would appear in
> our case anyways.
>
> My question is, the patch updates idq.dll. How did this get rid of the
> redirection to the www.worms.com page? I have scanned the system
> for virii,
> and its clean. Are we to assume that it is no longer sending out requests
> too? All the web pages are quite vague on this, other than how it works.
> It just seems very weird. Most worms/virii start witha file that infects,
> but I guess this is one that is exploited from another server?
> ANy insight
> would be much appreciated.
>
> FWIW, MS should reissue the bulletin regarding this new worm, and
> how their
> previous fix which only tlaks about Index server, can avoid thi
> these worms.
>
>
> -----Original Message-----
> From: Jeff Kratka
> Sent: Thu 7/19/2001 6:48 PM
> To: [EMAIL PROTECTED]
> Cc:
> Subject: Re: [IMail Forum] IIS 5 - Chinese Worm
>
>
> The patch does work, it hit my server this AM also. I'm running
> IIS5. Works
> fine now.
>
> Jeff
> ******************************************************************
> TymeWyse Internet
> P.O.Box 84 - 583 N. Main St., Canyonville, OR 97417
> tel/fax: (541) 839-6027 - [EMAIL PROTECTED]
> ******************************************************************
>
>
>
> Please visit http://www.ipswitch.com/support/mailing-lists.html
> to be removed from this list.
>
> An Archive of this list is available at:
> http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
>
>
>
> Please visit http://www.ipswitch.com/support/mailing-lists.html
> to be removed from this list.
>
> An Archive of this list is available at:
> http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
>
smime.p7s
