LHRIC logo TECHNICAL SERVICES
LHRIC logo home | search | contact | Virus Central  
LHRIC logo

Providing timely, reliable & cost-effective technical support 

Virus Central - Detailed

Virus Information

Read more about Code Red II

Name:

W32/CodeRed.worm

Aliases:

Code Red, W32/Bady.worm

Type:

Internet Worm

Discovery Date:

07/17/2001

Detection:

 

Virus Description:

UPDATE July 30, 2001:
Users may see reissued alerts by other security organizations as well as additional media coverage of this threat over the next
24-48 hours. AVERT reiterates that this threat does not generally affect an end-user's PC, but rather it attacks unpatched
administrator's Microsoft IIS web servers. However, all Internet users can feel the effects of this worm, such as requested web
pages being defaced or unavailable, due to the actions of this worm.

UPDATE July 19, 2001:
AVERT is raising awareness of this worm with a Risk Assessment on this exploit as SPECIAL. We are doing so as our focus is on
providing security support to our customers and the computing public at large.

 

E-mail Subject:

 

E-mail Body:

 

Attachment:

 

Virus Effects:

This threat only affects Microsoft XP/2000/NT running web servers

Your environment is at HIGH RISK if:

1) You have Microsoft Index Server 2.0, or Indexing Service installed with Windows 2000/XP (installed by default with IIS).

2) You have NOT updated these components with the latest patch from Microsoft.

The exploit, a buffer overflow, is used to spread this worm (Unchecked Buffer in Index Server ISAPI Extension Could Enable Web
Server Compromise).

IT EXISTS IN MEMORY ONLY AND NO WRITTEN FILE EVER EXISTS ON THE HARD DISK.

It spreads through TCP/IP transmissions on port 80. By making use of this exploit, the worm is able to send itself as a TCP/IP
stream directly to the its victims, which in turn scans the web for other systems to infect. Once infected, this viral code checks for
the existence of C:\notworm. If the file C:\notworm is present the worm stops seeking other machines to infect.

Affected English language web servers have their web pages defaced with:

<html><head><meta http-equiv="Content-Type" content="text/html;
charset=English"><title>HELLO!</title></head><bady><hr size=5><font
color="red"><p align="center">Welcome to http://www.worm.com !<br><br>Hacked
By Chinese!</font></hr></bady></html>

Removal Instructions:

Install the patch from Microsoft. For more information and to obtain a patch for this vulnerability, visit Microsoft's site:

Unchecked Buffer in Index Server ISAPI Extension Could Enable Web Server Compromise

Note that on top of applying the patch, rebooting of the server is also Required to remove the worm from memory. Without the
patch, the machine will simply become reinfected using the same vulnerability.

The worm does NOT affect Desktop or NT file servers.

McAfee has created a vulnerability assessment tool called CyberCop Worm Scan. The tool will scan your system, determine if the
server is vulnerable, and if so direct you to the Microsoft website to download the patch.

 

Site Last Updated: August 29, 2001
© Copyright 2001,2002 Lower Hudson Regional Information Center (LHRIC).