Okay guys - want to see how hard my box has been hit by codered? Just go to this link (which is long since dead) to get a good look.
What you are seeing is output from my new web application, the IIS Log Scanner. Yeah I plan on setting up a project page for this one ASAP and offering the code for download within the week.
Either way - this Code Red Worm has got to stop. I got some more details on the 3rd generations backdoors and its not pretty folks. Check out what it does:
(1) Drops a copy of cmd.exe (root.exe) into the scripts and msadc virtual folders of IIS
(2) Creates a trojan called explorer.exe in the roots of drives C and D. This WILL execute on startup.
(3) Explorer.exe adds IIS Virtual Directory mappings to drives C and D. So if you've executed it - I could access your entire C drive through http://youiphere/C
Keep patching people! Maybe this thing will finally die if we keep at it. On a side note, I considered writing a counter virus - but without using the actual original buffer overflow, I cant come up with a solid way to guarantee that the remote system restarts. Other than that - I could write a script to upload the hotfix and clean out the security holes but it would only execute on the remote machine when it reboots.
If anybody has any ideas let me know...