FAQ  
 

How to remove the Code Red worm?

Created 2001-08-15 by Andre Lorbach.

Question:

How to remove the Code Red worm?

Answer:

To make sure that the Code Red worm could affect your system, you have to check the following things:

  • The Operating System is Windows NT (With Optionpack 4 installed), Windows 2000 or Windows XP.
  • You have installed the Internet Information Server (To verify, check the Windows Components in the control panel  under Add/Remove Software).
  • The WWW Publishing Service is running.
  • You are connected to the Internet and Port 80 is accessible from outside.
  • You haven't installed the MS Security patch MS01-033.

If all this things are matching, you can follow these steps to check if the Code Red worm has infected your system.

  • Open the Taskmanager (For example right-click on taskbar an select Task-Manager).
  • Change to the tab Processes.
  • Click on View-Select Columns and enable the "Thread Count" property.
  • Now you can see the Thread Count of every process that is running.
  • Take a look to the inetinfo.exe process (That should be running).

If you system is infected with the Code Red worm, you will see that the Thread Count is more than 120. The Thread Count is normally about 20-50. The largest count I have seen was 600 on an infected machine. To remove the Code Red worm, it depends on which type of Code Red has infected your system. Most can be removed by restarting the machine. But some newer versions of the Code Red worm are resistant and have to be removed from the machine using special instructions.

WinSyslog
 Home
 Articles
 FAQ
 Windows XP
 Seminars Online
 Forums
 Books
 Links
 Newsletter Archive
 Web Server Check
 Contact Us
 Search
 

 



Printer Version Send this page to a friend

Copyright © 1988-2005 Adiscon GmbH All rights reserved.
Contact us via Secure Web Response | Privacy Policy
Topic Links: syslog