The Sadmind/Poison Box Worm

What is the SADMIND/IIS Worm?

The Sadmind/IIS worm is a back door worm. It has both worm and Trojan elements and attempts to spread itself by exploiting a buffer overflow in unpatched versions of sadmind on Solaris systems. The compromised Solaris system then attempts to infect other Solaris systems and unpatched Microsoft IIS Web servers. If successful, it defaces the default Web pages of the Web site and installs a back door.

Where can I find more information about this virus?

The Office of Information Technology has issued two general advisories regarding the IIS vulnerability that the Sadmind/IIS worms use.

BU-2001.04: IIS Windows Web Servers (sadmind/IIS worm)
BU-2001.05: IIS Windows Web Servers (3 new bugs / security patch roll-up)

Below are some links to information posted by others. While we believe this information may be useful and reasonably accurate, we have neither authenticated nor verified any of it.

CERT Advisory CA-2001-11 sadmind/IIS Worm

See Symantec's Web site for current information on Norton AntiVirus updates and NAI's Web site for current information on McAfee VirusScan and Dr. Solomon's updates. You should use your regular update mechanisms to get the latest version of these virus definition files.

How can I remove this virus?

Follow the instructions below to remove this virus. If you have any doubts about your ability to remove the virus from your computer, please seek help from your local computing support staff or contact the PCSC (617/353-7272, pcsc@bu.edu). If you are affiliated with Boston University's School of Management, please contact:

Computer Support Services (Room 630)
Boston University School Of Management
617/353-9440

If you are affiliated with Boston University, you can download and install the latest version of Network Associates' McAfee VirusScan for free, as Boston University has a site license for this product. Please visit BU's Anti-Virus software Web site for more information. This site will prompt you for your BU login name and password before allowing access.

Specific instructions for removing the Sadmind/Poison Box Worm

Step 1) Apply the patch from the vendor:

Microsoft IIS Patches (link to August 15, 2001 cumulative patch that includes the specific patches that Microsoft originally released for this exploit.)

Sun Solaris SADMIND Patch (Solaris users only need to complete this step)

Step 2) Make sure you have the latest virus definitions installed.

Step 3) Run a virus scan on all local drives.

Step 4) Delete any infected file(s) and restore or recreate your home page if it is no longer available.

Step 5) Search or find any file(s) named root.exe and delete them. (These are usually found in the IIS scripts folder.)

Is there anything else I can do to protect myself from this type of attack?

If you do not need to run IIS on your computer then you should turn it off immediately. Guides for doing so are available from Microsoft at:

Microsoft Internet Information Server (IIS)4 for Windows NT
Microsoft Internet Information Server (IIS)5 for Windows 2000

If you decide to continue running IIS on your computer, you should apply all current patches and remain alert for future advisories on IIS and apply those patches as well. Microsoft has a detailed article explaining the steps necessary to prevent your Web site from defacements and such at: http://www.microsoft.com/technet/columns/insider/default.asp

Return to main virus information page