How to remove the Code Red worm?

Created 2001-08-15 by Andre Lorbach.

Question:

How to remove the Code Red worm?

Answer:

To make sure that the Code Red worm could affect your system, you have to check the following things:

• The Operating System is Windows NT (With Optionpack 4 installed), Windows 2000 or Windows XP.
• You have installed the Internet Information Server (To verify, check the Windows Components in the control panel  under Add/Remove Software).
• The WWW Publishing Service is running.
• You are connected to the Internet and Port 80 is accessible from outside.
• You haven't installed the MS Security patch MS01-033.

If all this things are matching, you can follow these steps to check if the Code Red worm has infected your system.

• Open the Taskmanager (For example right-click on taskbar an select Task-Manager).
• Change to the tab Processes.
• Click on View-Select Columns and enable the "Thread Count" property.
• Now you can see the Thread Count of every process that is running.
• Take a look to the inetinfo.exe process (That should be running).

If you system is infected with the Code Red worm, you will see that the Thread Count is more than 120. The Thread Count is normally about 20-50. The largest count I have seen was 600 on an infected machine. To remove the Code Red worm, it depends on which type of Code Red has infected your system. Most can be removed by restarting the machine. But some newer versions of the Code Red worm are resistant and have to be removed from the machine using special instructions.