Win32:CodeRed
is a classical Internet worm, which infects unpatched Microsoft IIS Web Servers. It DOES NOT AFFECT end-user's PCs and workstations without MIIS in any way! Worm exists in computer memory only, it is never written to any file in any way! Worm exploits a buffer overflow security hole in the Microsoft IIS Web Server. Microsoft is aware of this problem and there exists a security patch since June 2001 which closes this backdoor and solves the problem.Win32:CodeRed sends itself as an HTTP request, which exploits a buffer overflow and allows the worm to run on target computer. The worm is run directly from memory and not saved as a file.
If the date is before the 20th of the month, new 99 threads attempt
to find other vulnerable computers by attacking at random IP addresses.
The English web pages are defaced. After two hours worm responds to the
incoming HTTP requests and returns its own HTML code which contains the
following text:
Welcome to http:// www.worm.com !
Hacked By Chinese!
If the date is between the 20th and 28th of the month, the worm attempts to provide a Denial of Service attack on a special IP address by sending large amounts of junk data to port 80 (Web service). The IP address is 198.137.240.91, which used to be the IP address of www.whitehouse.gov. This IP address (which is hardwired in the worm) has been changed and is no longer active.
If the date is later than the 28th of the month, the worm enters an sleep state for 24 days and 20 hours. Because this overlap the period of its spreading, worm will remain dormant infinitely. Unfortunately any computer which does have wrongly set system date can cause large reinfection again.
Removal:
- Download, and apply the patch from the following Web site: http://www.microsoft.com/technet/security/bulletin/MS01-033.asp
- Restart the computer.
Win32:CodeRedII (Win32:CodeRed.c)
On Saturday August 4th 2001 a new variant of the worm was discovered. This variant uses the same security hole as the original one. It infects the computers with Microsot IIS Web Server without the patch installed. It is able to send itself from the infected computer more intensively but for a shorter period. It is much more dangerous, because it installs the trojan horse into the infected system. Such trojan horse is able to work as a backdoor into the system and can provide an unauthorised access into the compromised computer. Worm disables itself forever on October 1st. This new variant does not deface the Web page content and does not provide the DoS attack against the White House. It's only goal is to compromise as much computers as it can. If it is able to infect large enough number of computers (the original worm was able to infect about 300 000 computers), then the integrity of the Internet could be compromised: such huge number of servers which could be misused by third party means very serious security thread. Moreover, administrators of such computers can't be sure, if their system was not further compromised by this backdoor. While the defense against the original worm was quite simple (applying the patch and rebooting the computer), the best way how to get rid of the CodeRedII variant is to reformat the computer and to reinstall it from the scratch.
