Windows 2000 SP2 does *not* contain the patch for MS01-033.
To be extra safe, check out:
IIS4/5 patch rollup (does not include patch for MS01-033):
http://support.microsoft.com/support/kb/articles/Q297/8/60.ASP
Patch for MS01-033:
http://www.microsoft.com/technet/default.asp?url=/technet/security/bulle
tin/MS01-033.asp
Info on all post-SP2 patches:
http://support.microsoft.com/support/ServicePacks/Windows/2000/Win2000_P
ost-SP2_Hotfixes.asp
If you apply Windows 2000 SP2, the rollup patch and MS01-033 you're safe
from most known IIS exploits.
Nick
Nick Lehman
Hostworks Limited
Tel 1300 30 4848
www.hostworks.com.au
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of ChrisWeeks
Sent: Saturday, 21 July 2001 8:13 AM
To: [EMAIL PROTECTED]
Subject: RE: [IMail Forum] IIS 5 - Chinese Worm
Thank you for the truth.
Any one, this is what is going on .
I did the same thing to be sure. (created a file called noworm just to
be safe.)
You seem to know what is up, so a question. Does 2000 SP2 contiain the
ms01-033 patch?
I was one of the lammers that missed the patch, due to politics I could
not install SP2 and missed the advert. (I troll microsoft and various
hacker news groups but missed it) but thanks to the other guy (rick) I
have subscribed to Microsofts auto alerts.
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Terrence Koeman
Sent: Friday, July 20, 2001 3:14 PM
To: [EMAIL PROTECTED]
Subject: RE: [IMail Forum] IIS 5 - Chinese Worm
1) The www.worms.com website is not down.
2) The www.worms.com website has absolutely nothing to do with the "Code
Red" worm.
3) The "Code Red" worm does not connect to or redirect to the
www.worms.com website.
Patch your server:
1) If you are not using the .idq extention, you should have removed the
mapping directly after the installation of IIS.
2) If for some reason you were too lame to do so or you are using the
.idq extention, you should have installed the patch over a month ago.
3) If for some reason you were too lame to do so, install the patch from
Microsoft and reboot your server. Rebooting will effectively kill the
worm, as it's only stored in memory. The patch will prevent your system
from being infected again.
4) For extra security, create a file "c:\notworm" (no extention). The
worm checks for this file, and if present ceases to function. (Does not
infect other machines and does not deface the sites on the server).
--
Regards,
Terrence Koeman
Technical Director/Administrator
MediaMonks B.V. (www.mediamonks.nl)
Please quote all replies in correspondence.
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of NetQuick Mail
> Administrator
> Sent: Friday, July 20, 2001 21:57
> To: [EMAIL PROTECTED]
> Subject: Re: [IMail Forum] IIS 5 - Chinese Worm
>
>
> That website has been taken down by the service provider.
>
> Kevin Childers
>
> It's like I've always said, "You can get
> more with a kind word and a two by four,
> than you can get with just a kind word."
>
>
> ----- Original Message -----
> From: "T. Bradley Dean" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Thursday, July 19, 2001 9:15 PM
> Subject: RE: [IMail Forum] IIS 5 - Chinese Worm
>
>
> >My question is, the patch updates idq.dll. How did this get rid of
the
> redirection to the www.worms.com page?
>
> It didn't. Rebooting gets rid of the worm, it's only stored in memory.
But
> the patch is needed so you don't get the worm back in a few hours.
>
>
> ~Brad
> -----Original Message-----
> From: Adrian Henderson
> [mailto:[EMAIL PROTECTED]]On Behalf
> Of Adrian Henderson
> Sent: Thursday, July 19, 2001 4:39 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [IMail Forum] IIS 5 - Chinese Worm
>
>
> I was hit too, but I have many questions as to how it started and
works?
>
> I applied the patch and I can now get into my exchange server OWA.
>
> The thing is, we have 7 web services running on iis5, the default
doesn't
> have a web page in it, but exchange 2000 runs off of it in a subdir,
thats
> how we found out we got hit. The thing is, that it doesn't
> affect other web
> sites running on that server, except for the default so it would
appear in
> our case anyways.
>
> My question is, the patch updates idq.dll. How did this get rid of
the
> redirection to the www.worms.com page? I have scanned the system
> for virii,
> and its clean. Are we to assume that it is no longer sending out
requests
> too? All the web pages are quite vague on this, other than how it
works.
> It just seems very weird. Most worms/virii start witha file that
infects,
> but I guess this is one that is exploited from another server?
> ANy insight
> would be much appreciated.
>
> FWIW, MS should reissue the bulletin regarding this new worm, and
> how their
> previous fix which only tlaks about Index server, can avoid thi
> these worms.
>
>
> -----Original Message-----
> From: Jeff Kratka
> Sent: Thu 7/19/2001 6:48 PM
> To: [EMAIL PROTECTED]
> Cc:
> Subject: Re: [IMail Forum] IIS 5 - Chinese Worm
>
>
> The patch does work, it hit my server this AM also. I'm running
> IIS5. Works
> fine now.
>
> Jeff
> ******************************************************************
> TymeWyse Internet
> P.O.Box 84 - 583 N. Main St., Canyonville, OR 97417
> tel/fax: (541) 839-6027 - [EMAIL PROTECTED]
> ******************************************************************
>
>
>
> Please visit http://www.ipswitch.com/support/mailing-lists.html
> to be removed from this list.
>
> An Archive of this list is available at:
> http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
>
>
>
> Please visit http://www.ipswitch.com/support/mailing-lists.html
> to be removed from this list.
>
> An Archive of this list is available at:
> http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
>
Please visit http://www.ipswitch.com/support/mailing-lists.html
to be removed from this list.
An Archive of this list is available at:
http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Please visit http://www.ipswitch.com/support/mailing-lists.html
to be removed from this list.
An Archive of this list is available at:
http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
