I work for a software company in which many of the engineers run IIS 5.0 and IIS 4.0 to test the software they write. When the CodeRed worm first appeared, I needed to find a way to quickly protect these IIS systems, so I introduced the code that Web Listing 1 (which you can access at http://www.windowswebsolutions.com, InstantDoc ID 23884) shows into the company's logon script, which is in the KiXtart scripting language. The code checks for the existence of idq.dll, a file that Microsoft Indexing Service (Windows 2000) and Microsoft Index Server (Windows NT 4.0) use. If the idq.dll file exists, the code checks the registry to see whether the IIS system has the appropriate CodeRed patch, and if not, the code applies the patch.
To use the KiXtart code in Web Listing 1, first download CodeRedPatch.scr from the Code Library on the Windows Web Solutions Web site (http://www.windowswebsolutions.com). Then, customize the code so that it reflects the paths to your patches. Currently, the patch for IIS 4.0 is in the \\helpdesk\patches\iis\nt4\q301625 folder and the patch for IIS 5.0 is in the \\helpdesk\patches\iis\w2k\q301625 folder. Optionally, you can customize the IS Department signature in the MessageBox functions.
For more information about the CodeRed worm, see the Microsoft article "Unchecked Buffer in Index Server ISAPI Extension Can Enable Web Server Compromise" (http://support.microsoft.com/default.aspx?scid=kb;en-us;q300972). You can download the patches from the Microsoft Security Web site (http://www.microsoft.com/security). Click the Security Bulletins link and go to either Microsoft Security Bulletin MS01-033 (Unchecked Buffer in Index Server ISAPI Extension Could Enable Web Server Compromise) or MS01-044 (15 August 2001 Cumulative Patch for IIS). For more information about these and other IIS-related hotfixes, see Brett Hill, IIS Informant, "Keeping Up with Hotfixes," December 2001, InstantDoc ID 22965.