Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

code red virus?

0 views
Skip to first unread message

kekec

unread,
Jun 7, 2004, 5:26:06 PM6/7/04
to
hello,

I'm running Win2k Pro. I checked nestat -a the other day and found out I'm connected to www.whitehouse.gov. I figured I must be infected with some kind of virus. None of my anti virus programs found anything. I did some research and found out it might be code red virus on IIS server. I tried to clean it with different clearners from eyee or MSFT but no luck. So I said no biggy I'll reinstall. I formated my partition and reinstalled win2k but virus was there again when i got online. weird stuff. I formated again and repartition thinking it might be in my mbr. but as soon as i start surfing around i get established connections to www.whitehouse.gov again.

nestat looks like this :
TCP xxx:1191 www.whitehouse.gov:http ESTABLISHED
TCP xxx:1192 www.whitehouse.gov:http ESTABLISHED
TCP xxx:1193 www.whitehouse.gov:http ESTABLISHED
TCP xxx:1194 www.whitehouse.gov:http ESTABLISHED
TCP xxx:1202 uscu-secure01-1.symantec.com:https TIME_WA
TCP xxx:1211 uscu-secure01-1.symantec.com:https TIME_WA
TCP xxx:1215 66.102.9.104:http ESTABLISHED
TCP xxx:1217 origin2.microsoft.com:http ESTABLISHED
TCP xxx:1218 origin2.microsoft.com:http ESTABLISHED

if i nslookup www.whitehouse.gov i get akamai server

Non-authoritative answer:
Name: a1289.g.akamai.net
Addresses: 193.189.170.198, 193.189.170.200
Aliases: www.whitehouse.gov, www.whitehouse.gov.edgesuite.net

this are the replys I got from cleanup tools:

Cleaning up Code Red Worm
If the system was internet-exposed, you should re-install system
To disable IIS, invoke with -disable option

This application does NOT apply the patch
See http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-033.asp

Cannot open WWW Publishing Service

Removing files created by worm
No files left by worm found
Cannot open virtual roots key

System File protection enabled
Error opening IISAO - hr = 80040154


this I got from FixCRed cleaner :

The value
SFCDisable
in the subkey
Software\Microsoft\Windows NT\CurrentVersion\WinLogon
is reset to 0.

Your computer does not appear to be vulnerable.
The Trojan.VirtualRoot has not been found on your computer.


thing i don't get is howcome none of the virus scanners and reformating/re partitioning didn't help so far. how can i get rid of this virus. im meantime when ill wait for your replys Im running baseline security analyzer in case it will found out anything.
thanks for your help and sugestions

kekec

Phil Weldon

unread,
Jun 7, 2004, 7:25:57 PM6/7/04
to
I'd guess you don't have a firewall. Consider either getting one or
disconnecting from the Internet. Also check for black helicopters just in
case.
--
Phil Weldon, pweldonatmindjumpdotcom
For communication,
replace "at" with the 'at sign'
replace "mindjump" with "mindspring."
replace "dot" with "."

"kekec" <ke...@usa.com> wrote in message
news:B34D245E-69C5-4591...@microsoft.com...

0 new messages