"Red Code III" Manual Clear Guide (Seraph Chutium, August 10, 2001) 16:13)
Editor: Although this paper introduces the method of manual clearance "red code" worm, for most ordinary users, we believe that Microsoft's solution or the use of professional anti-virus manufacturers related safety products to remove the worm, is The safest and convenient way.
Background information tracking "red code"
It is also interested in aggressive viruses for Chinese Windosws operating systems, and Codered III and Codered II will double attack on Simplified Chinese / Traditional Chinese Windows systems. This article tells you how to manually "Red Code III" worm.
Microsoft has released a security announcement MS01-033, providing patch for NT and 2000 systems: Windows NT 4.0, Windows 2000 Professional, Server and Advanced Server. One thing to explain is that the clearance method we describes here is valid for II, III, and the manual cleaning method is as follows:
If this virus is unfortunate, you should immediately close the WEB service of all 80 ports to avoid viruses to continue to spread.
1. Two back door files in the WEB server: /msadc/root.exe, /scripts/root.exe
The physical address of these two files is defamely defamely:
C: /inetpub/scripts/root.exec: /program ~ 1/common ~1/system/msadc/root.exe
2. Clear your local hard drive: C: /Explorer.exe and D: /explorer.exe
First kill the process Explorer.exe, open the task manager, select the process. Check if there are two "exploer.exe" in the process. If you find two "exploer.exe", Trojans have run on your machine, select View in the menu -> Selected Column -> Thread count, press OK. At this point you will find a new column number of "threads" in the display box. Check the two "Exploer.exe", "Exploer.exe" that is "1" is "1" is a Trojan. You should end this process.
After that, you can delete C: /EXPLOER.EXE and D: /EXPLOER.EXE, both of which have hidden and read-only properties. You need to set the View -> Options -> hidden files to "Show all files" to see them.
3. Clear the item added to the registry:
HKLM / Software / Microsoft / Windows NT / CURRENTVERSION / WINLOGON / Delete Key: The sfcdisable key value is: 0FFFFFFFFFFFFFFFFFFFFFFFFFF9DH, the system file check is prohibited when the system file checks when logging in. HKLM / System / CurrentControlSet / Services / W3SVC / Parameters / Virtual Roots / Key: The Scripts key value is:, 217 is changed to, 201 (this key default is opened, but if there is no special need, it can be turned off) (because many vulnerabilities are utilized The file attack in this virtual directory.) HKLM / System / CurrentControlSet / Services / W3SVC / Parameters / Services / W3SVC / PARAMETERS / VIRTUAL ROOTS / key: MSADC key value is:, 217 is changed to, 201 (same scripts) HKLM / System / CurrentControlset / Services / W3SVC / Parameters / Virtual Roots / Delete Keys: C: C: C: /,, 217 (it enjoys C on the local hard disk in the Web in the Web) HKLM / System / CurrentControlSet / Services / W3SVC / Parameters / Virtual Roots / Delete Key: D: D: /,, 217 (it enjoys D disk in the local hard disk in the Web in the Web in the Web in the web, if you do not delete the above keys in the registry, the local hard drive of the poison server C, D will be fully controlled. 4. Restart the system to ensure that CodeRed.v3 is completely cleared.
Note: If you want to ensure that the virus is not infected, install the patch released by Microsoft.