i dont know if this is helpful to anyone, but this is how i got rid of the worm(still am not 100% sure how to prevent infection).
1) first update win2000 to service pack 2 if you dont already have it. Download all critical fixes and security patches.
2) Then stop all IIS sites and physically unplug your network connection.
3) Run regedit and search for readme.eml and readme.exe. Delete all references to them. ALSO, in one of the registry groups you will find both of these keys next to eachother. They will also be next to admin.dll and root.exe. In this group only, delete the admin.dll and root.exe keys.
4) Run a file search from the start menu. Search for readme.eml on all drives and make sure to search subdirectories too. Don't click on any of the files that show up(for me if you even single click they will run). Instead do a Ctrl-A and then Shift-Ctrl-Del to delete all of them. Do the same for any readme.exe files you may find. Now search for root.exe and admin.dll. Both of these files are required windows files so don't automatically delete them. However, the worm will probably copy them to your IIS script directories which is bad. So if they show up in any IIS script or web directories(Inetpub/scripts for example) make sure to delete them.
5) Empty your recycle bin.
6) Reboot.
7) run steps 3-6 until you no longer find any traces of these files in the registry or on your machine.
8) Should be good now so you can reconnect your machine to the net and start up IIS sites.
after everything is cleaned out there will still be some traces you should get rid of. for one, it will put hacked splash pages in your default web server directories so delete any such pages(index.htm, index.html, default.asp, etc.). Also the worm adds a javascript line to the end of.htm,.html, and.asp files which creates a popup on the client machine. This popup runs the readme.exe file and spreads the virus to clients. Since you deleted all of the.eml files it wont find anything but you still want to get rid of this empty popup. So, use ultraedit or homesite or any other text editor to do a massive search and replace to remove the following line:
Slashdot Mirror
i dont know if this is helpful to anyone, but this is how i got rid of the worm(still am not 100% sure how to prevent infection).
.htm, .html, and .asp files which creates a popup on the client machine. This popup runs the readme.exe file and spreads the virus to clients. Since you deleted all of the .eml files it wont find anything but you still want to get rid of this empty popup. So, use ultraedit or homesite or any other text editor to do a massive search and replace to remove the following line:
1) first update win2000 to service pack 2 if you dont already have it. Download all critical fixes and security patches.
2) Then stop all IIS sites and physically unplug your network connection.
3) Run regedit and search for readme.eml and readme.exe. Delete all references to them. ALSO, in one of the registry groups you will find both of these keys next to eachother. They will also be next to admin.dll and root.exe. In this group only, delete the admin.dll and root.exe keys.
4) Run a file search from the start menu. Search for readme.eml on all drives and make sure to search subdirectories too. Don't click on any of the files that show up(for me if you even single click they will run). Instead do a Ctrl-A and then Shift-Ctrl-Del to delete all of them. Do the same for any readme.exe files you may find. Now search for root.exe and admin.dll. Both of these files are required windows files so don't automatically delete them. However, the worm will probably copy them to your IIS script directories which is bad. So if they show up in any IIS script or web directories(Inetpub/scripts for example) make sure to delete them.
5) Empty your recycle bin.
6) Reboot.
7) run steps 3-6 until you no longer find any traces of these files in the registry or on your machine.
8) Should be good now so you can reconnect your machine to the net and start up IIS sites.
after everything is cleaned out there will still be some traces you should get rid of. for one, it will put hacked splash pages in your default web server directories so delete any such pages(index.htm, index.html, default.asp, etc.). Also the worm adds a javascript line to the end of
<html><script language="JavaScript">window.open("readme.eml", null, "resizable=no,top=6000,left=6000")</script> </html>