F-CodeRed
---------

F-CodeRed is a special tool to detect and remove CodeRed.C and CodeRed.F
worms from the infected computer's memory.

For detailed information on CodeRed variants please visit

http://www.f-secure.com/v-descs/bady.shtml


Usage
-----

NOTE: The tool has to be run with Administrator rights.

1. Unpack the F-CodeRed tool from the provided ZIP archive 
   either with WinZip or PkUnzip utilities. A trial version of 
   WinZip archiver can be downloaded from the following website:

http://www.winzip.com/ddchomea.htm
 
2, Start a command shell
   
   Click 'Start Menu->Run'

   Type 'cmd', press [Enter]

2, Change to the folder where the tool was unpacked

   Type 'cd \folder\where\the\tool\is'

3, Start the tool

   Type 'F-CodeRed'


What the tool does?
-------------------

- F-CodeRed locates the worm in the computer's memory and terminates
  the infected process if it was found there

- Locates and removes the VirtualRoot trojan dropped by CodeRed from
  memory and the disk.

- Removes the trojan command shells from

  \inetpub\scripts\root.exe
  \progra~1\common~1\system\MSADC\root.exe

- Removes the shared C: and D: roots from the IIS settings

- Opens the webpage that contains the fixes for the IIS vulnerability
  
  http://www.microsoft.com/technet/security/bulletin/MS01-044.asp


The tool can't delete Virtual Roots from Metabase.
--------------------------------------------------


If the tool generates an error message like:

 "F-CodeRed cannot delete Virtual Roots from IIS Metabase"
 "please refer to readme file for instructions"

The Metabase entries must be manually deleted by following the next
steps:

Under

 "Control Panel" -> "Administrative Tools"

select

 "Internet Services Manager"
 
and under the "Default Web Site" section delete the entries named "C"
and "D" which are exporting the contents of those drives.


Note
----

If the computer was found to be infected and the patch was installed
for ISS the computer needs to be restarted. After this it is good to 
run the tool again to check that the infection has been removed 
properly and the computer did not get reinfected while installing
the patch.

Contact information
-------------------

If you need further assistance using this tool please contact 
us on 'anti-virus-support@f-secure.com' address.


Copyright (C) 2003 F-Secure Corporation. All rights reserved.
