On Tue, Aug 07, 2001 at 01:57:02PM -0500, Brian wrote: > On Tue, 7 Aug 2001, Austad, Jay wrote: > You already did: > > > Lynx -source http://infectedhost/scripts/root.exe+/c+reboot > > IIRC the worm doesn't ever store itself on disk. It seems odd, then, that > an NT machine went from July 19 to Aug 1 without a reboot. So I may not > be correct on this. If you install the patch and reboot the server, I > think you've fixed the problem. That is true of CR1, but not CR2, which trojans explorer.exe to make some registry settings as soon as a user logs in. These settings make the C:\ and D:\ directories available via port 80. Patching that one up requires that you remove the worm from memory, remove the trojaned explorer.exe, not have an explorer.exe running (it recreates the registry settings every 10 minutes), and remove the registry settings. And hope that nobody has used the remote access to plant additional backdoors. May as well just wipe the system and be done with it if CR2 takes root. -- With the arrest of Dimitry Sklyarov it has become apparent that it is not safe for non US software engineers to visit the United States. - Alan Cox "To prevent unauthorized reading..." - Adobe eBook reader license