Six practical methods for coping red code
[Author: China Computer Newspaper Add Time: 2001-9-1 11:50:34]
Recently, it is more red code that is the most boiled in the network industry. Here we provide the following suggestions for its solutions:
Method One Due to Windows 2000, IIS is the default installation of the system, but for most personal users and servers, it is useless, and there are many vulnerabilities. If there is no need, it is best to uninstall.
Methods Two Microsoft has provided a tool called "Code Red II Cleaner" to eliminate this worm. You can download this tool in the following address: http://www.microsoft.com/downloads/release.asp? Releaseid = 31878
Methods three hand murderous Coderedii worms:
1. Stop IIS service to prevent further attacks of worms.
2. Open Task Manager and select Process. Check if there are two "exploer.exe" in the process, if you find two "exploer.exe", Trojans have run on your machine, you should immediately kill Trojans; otherwise, you haven't performed yet. Trojans, you can go to the fourth step.
3. Select "View | Selected Columns | Thread Count" in the menu, press OK. At this point you will find a new column number of "threads" in the display box. Check the two "exploer.exe", display only "Exploer.exe" with a thread is Trojan, and you should immediately end this process.
4. You need to delete C: /EXPLOER.EXE and D: /EXPLOER.EXE. Note: Both the two programs have hidden and read-only properties. You need to set the "View | Options | Hidden File" of the Explorer Manager to see them.
5. You need to delete root.exe. They are in IIS's scripts and msadc directories.
6. Repair the registry key created by the worm (if you find the Trojan is already running): First back up the registry, then use regedit, find the following entry: HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / SERVICES / W3SVC / Parameters / Virtual Roots "/ C" and "/ d" item deleted. Change "217" in "/ scripts" and "/ msadc" item "201", hkey_local_machine / software / microsoft / windows nt / currentversion / Winlogon / SFCDISABLE, the worm has changed to 0FFFFFFFFFF9DH, you should put this The value changes to 0.
7. Install patch or take other measures to protect you no longer be threatened by worms.
8. Restart the system to eliminate worms in memory.
Method 4 Adopt advanced anti-virus software to prevent red code, domestic antivirus products, such as Rising, KV3000, Kill, etc., have a good killing ability to red code viruses.
Methods III uses the Sino-Science Internet Evancing Detection System (IDS) to make real-time monitoring of network abnormal behavior, because the red code principle still uses system vulnerability to make spread propagation, even if the Trojan is installed, it is also after the system vulnerability attack. Get permission to implant the latter program, so if IDS discovers attack behavior for system vulnerabilities, timely alarm and block behavior, and achieve the purpose of prevention of red code viruses.
Method 6 Install the agent-type firewall, filtering this dangerous request in the firewall level, making the server's internal system of the firewall more secure.
