Content
W32/CodeRed.a.worm
- Type
- Virus
- SubType
- Internet Worm
- Discovery Date
- 07/17/2001
- Length
- 0
- Minimum DAT
- 4149 (07/23/2001)
- Updated DAT
- 4149 (07/23/2001)
- Minimum Engine
- 5.1.00
- Description Added
- 07/18/2001
- Description Modified
- 03/11/2003 7:52 PM (PT)
Tab Navigation
Characteristics
UPDATE March 11, 2003:
The W32/CodeRed.f variant has been seen in the wild. This variant is almost identical to the .C variant.
UPDATE July 30, 2001:
Users may see reissued alerts by other security organizations as well as additional media coverage of this threat. AVERT reiterates that this threat does not generally affect an end-user's PC, but rather it attacks unpatched administrator's Microsoft IIS web servers. However, all Internet users can feel the effects of this worm, such as requested web pages being defaced or unavailable, due to the actions of this worm.
UPDATE July 19, 2001:
AVERT is raising awareness of this worm with a Risk Assessment on this exploit as SPECIAL. We are doing so as our focus is on providing security support to our customers and the computing public at large.
This threat only affects Microsoft Windows 2000 running web servers. Although WinNT is vulnerable to this exploit, the worm crashes on WinNT.
Your environment is at HIGH RISK if:
1) You have Microsoft IIS server installed with Windows 2000.
2) You have NOT updated these components with the latest patch from Microsoft.
The exploit, a buffer overflow, is used to spread this worm (Unchecked Buffer in Index Server ISAPI Extension Could Enable Web Server Compromise).
IT EXISTS IN MEMORY ONLY AND NO WRITTEN FILE EVER EXISTS ON THE HARD DISK. As such, the virus is not be detected with the current engine and DATs (see the removal instructions on how to remove the virus).
It spreads through TCP/IP transmissions on port 80. By making use of this exploit, the worm is able to send itself as a TCP/IP stream directly to the its victims, which in turn scans the web for other systems to infect. Once infected, this viral code checks for the existence of C:\notworm. If the file C:\notworm is present the worm stops seeking other machines to infect.
Affected English language web servers have their web pages defaced with:
Symptoms
Web pages defaced with the message:
Welcome to http://www.worm.com !
Hacked By Chinese!
Method of Infection
This worm makes uses of a Microsoft Index Server buffer overflow exploit to execute itself in memory.
Removal
Install the patch from Microsoft. For more information and to obtain a patch for this vulnerability, visit Microsoft's site:
Unchecked Buffer in Index Server ISAPI Extension Could Enable Web Server Compromise
Note that on top of applying the patch, rebooting of the server is also Required to remove the worm from memory. Without the patch, the machine will simply become reinfected using the same vulnerability.
The worm does NOT affect Desktop or NT file servers.
Variants
Variants
N/A
All Information
Overview -
This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.
Aliases
- Code Red
- W32/Bady.worm
- W32/CodeRed.worm
Characteristics
Characteristics -
UPDATE March 11, 2003:
The W32/CodeRed.f variant has been seen in the wild. This variant is almost identical to the .C variant.
UPDATE July 30, 2001:
Users may see reissued alerts by other security organizations as well as additional media coverage of this threat. AVERT reiterates that this threat does not generally affect an end-user's PC, but rather it attacks unpatched administrator's Microsoft IIS web servers. However, all Internet users can feel the effects of this worm, such as requested web pages being defaced or unavailable, due to the actions of this worm.
UPDATE July 19, 2001:
AVERT is raising awareness of this worm with a Risk Assessment on this exploit as SPECIAL. We are doing so as our focus is on providing security support to our customers and the computing public at large.
This threat only affects Microsoft Windows 2000 running web servers. Although WinNT is vulnerable to this exploit, the worm crashes on WinNT.
Your environment is at HIGH RISK if:
1) You have Microsoft IIS server installed with Windows 2000.
2) You have NOT updated these components with the latest patch from Microsoft.
The exploit, a buffer overflow, is used to spread this worm (Unchecked Buffer in Index Server ISAPI Extension Could Enable Web Server Compromise).
IT EXISTS IN MEMORY ONLY AND NO WRITTEN FILE EVER EXISTS ON THE HARD DISK. As such, the virus is not be detected with the current engine and DATs (see the removal instructions on how to remove the virus).
It spreads through TCP/IP transmissions on port 80. By making use of this exploit, the worm is able to send itself as a TCP/IP stream directly to the its victims, which in turn scans the web for other systems to infect. Once infected, this viral code checks for the existence of C:\notworm. If the file C:\notworm is present the worm stops seeking other machines to infect.
Affected English language web servers have their web pages defaced with:
Symptoms
Symptoms -
Web pages defaced with the message:
Welcome to http://www.worm.com !
Hacked By Chinese!
Method of Infection
Method of Infection -
This worm makes uses of a Microsoft Index Server buffer overflow exploit to execute itself in memory.
Removal -
Removal -
Install the patch from Microsoft. For more information and to obtain a patch for this vulnerability, visit Microsoft's site:
Unchecked Buffer in Index Server ISAPI Extension Could Enable Web Server Compromise
Note that on top of applying the patch, rebooting of the server is also Required to remove the worm from memory. Without the patch, the machine will simply become reinfected using the same vulnerability.
The worm does NOT affect Desktop or NT file servers.
Variants
Variants -
N/A
