W32/CodeRed.f.worm

Content

W32/CodeRed.f.worm

Type: Virus
SubType: Internet Worm
Discovery Date: 03/11/2003
Length: N/A
Minimum DAT: 4152 (08/06/2001)
Updated DAT: 4152 (08/06/2001)
Minimum Engine: 5.1.00
Description Added: 03/12/2003
Description Modified: 03/12/2003 11:13 AM (PT)

Risk Assessment

Corporate User: Low-Profiled
Home User: Low-Profiled

Tab Navigation

Characteristics

-- Update March 12, 2003 --
This risk assessment of this threat was updated to Low-Profiled due to media attention at http://www.theregister.co.uk/content/56/29724.html. AVERT does not consider this a higher risk than Low-Profiled due to detection of this existing in dat files available since August 6th, 2001, and due to customers having already taken the precaution of updating their systems in response to the initial CodeRed worm. McAfee Gateway scanners, such as WebShield e250, e500 and e1000 appliances can detect and remove CodeRed.f on the gateway when using DAT files released since August 6th, 2001.

This variant is nearly identical to W32/CodeRed.c.worm. The only difference lies in two bytes. These two bytes govern the time at which the worm reboots the machine (thus clearing the worm from memory). W32/CodeRed.f.worm will not reboot the machine until the year is greater than (or equal) 34952.

This threat affects Microsoft Windows 2000 running web servers.

Your environment is at HIGH RISK if:

1) You have Microsoft IIS server installed with Windows 2000.

2) You have NOT updated this server with the latest patch from Microsoft.

The exploit, a buffer overflow, is used to spread this worm (Unchecked Buffer in Index Server ISAPI Extension Could Enable Web Server Compromise).

THIS VIRUS EXISTS IN MEMORY ONLY. Detection of the worm in memory requires process scanning. This is available with VirusScan 7 Enterprise, and detection is provided in the 4252 DATs. See the Removal Instructions section for more details.

However it also tries to create a backdoor trojan which is binary identical to the one dropped by W32/CodeRed.c.worm (detected as W32/CodeRed.c trojan with the 4152 DATs and above) which it saves to c:\explorer.exe and d:\explorer.exe. This exploits the "Relative Shell Path" Vulnerability, which states that Windows will run c:\explorer.exe before %windir%\explorer.exe. So, the trojan can be run where EXPLORER.EXE is called. The trojan does nothing more than write certain values to the registry every 10 minutes. It is these registry values that opens a security hole in your system.

On the next reboot, the trojan carries out its payload and then calls the original explorer.exe. The trojan adds a value to the following registry key, to disable local file system security:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Winlogon\SFCDisable

Two values are added to the following key to enable a remote attacker to have access to the C: and D: drives, via a web browser:

HKLM\SYSTEM\CurrentControlSet\Services\
W3SVC\Parameters\Virtual Roots.

Also under this key, the /SCRIPT and /MSADC values are configured to allow read/write access to the paths associated with these values.

These changes allow a remote attacker to carry out shell function on the local system by sending commands to it via a URL.

For more information please read the description on W32/CodeRed.c.worm

Symptoms

Presence of the files:

c:\inetpub\scripts\root.exe
c:\progra~1\common~1\system\MSADC\root.exe
d:\inetpub\scripts\root.exe
d:\progra~1\common~1\system\MSADC\root.exe.

Method of Infection

This worm makes uses of a Microsoft Index Server buffer overflow exploit to execute itself in memory

Removal

Microsoft has released a tool to "eliminate the obvious effects of the Code Red II worm"

-- Trojan Removal -- To detect and remove the trojan, the 4152 DATs are required. If the trojan is detected it will be deleted, and the registry keys which allow a remote attacker to have access to the C: and D: drives, via a web browser, will be deleted as well.

Additionally, administrators need to remove the /C and /D virtual shares through the INTERNET SERVICES MANAGER and should restore the permissions on the /SCRIPTS and /MSADC virtual directories (if necessary) for each virtual website. The Windows File Protection/System File Checker registry value should be restored to the desired setting (0 is the default):

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Winlogon\SFCDisable

Delete the following files:

c:\inetpub\scripts\root.exe
c:\progra~1\common~1\system\MSADC\root.exe
d:\inetpub\scripts\root.exe
d:\progra~1\common~1\system\MSADC\root.exe

-- Virus Removal --

W32/CodeRed.f.worm can be detected in memory by VirusScan 7 Enterprise (using the 4252 DATs). This is achieved by initiating an on-demand scan (with "Memory of Running Processes" in the scan target list). The worm will be successfully removed from memory if cleaning is enabled:

[VSE7 on-demand console after W32/CodeRed.f.worm clean]

Install the patches from Microsoft. For more information and to obtain the patches for these vulnerabilities, visit Microsoft's sites:

Unchecked Buffer in Index Server ISAPI Extension Could Enable Web Server Compromise

"Relative Shell Path" Vulnerability

Note that on top of applying the patch, rebooting of the server is also required to remove the worm from memory. Without the patch, the machine will simply become reinfected using the same vulnerability.

The worm does NOT affect desktop systems or pure file servers.

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -