[NTLUG:Discuss] Real dangers of CR2

[Cox, Chris]

Lately the media has been downplaying the effects of
Code Red 2... calling it the big 'yawn' and not likely
to affect anything seriously.  They recognize the loss
it has cost so far, but believe it to be under control.

I realize that this only affects stupid MS boxes
running IIS, but since this could be your neighbor,
your friend or even your company, I think some facts
should be made clear.

Code Red 2, the one with the signature of all XX's instead
of the NN's places cmd.exe into the scripts and msadc
directories.... BUT what you may not know is also maps
the c: and d: drives to the virtual web space... so you
can execute ANY file on those drives using something
like

GET /c/winnt/system32/whatever.exe HTTP/1.0

This worm has literally affected hundreds of thousands
of hosts on the Internet.... the world tells them to
just reboot and install a patch.  However, since this
backdoor is put into place on the CR2 infected machines,
you REALLY don't know what has been done on the machine.

The proper solution is turn off, reinstall the OS, apply
patch and then put the stupid host back on the net (to
wait for the next big worm).

I would not trust any hosts that had CR2 on it at any
time.

Sorry about the non-Linux post... but this could affect
everyone in a real way.

Chris