Threat Description

Worm:​W32/CodeRed

Details

Aliases:Worm:​W32/CodeRed
Category:Malware
Type:Worm
Platform:W32

Summary



A standalone malicious program which uses computer or network resources to make complete copies of itself. May include code or other malware to damage both the system and the network.



Removal



Microsoft has released a patch that addresses the vulnerability used by this worm. Apply the security patch for this vulnerability from:

Then reboot the server. Since the worm's code is not written to a hard disk (it exists only in memory) rebooting will eliminate the infection completely.



Technical Details



This is original Code Red web worm (the A variant) found originally in July 2001.

History

UPDATE ON 1ST OF AUGUST, 2001

By 15:00 GMT, 15 hours after widespread Code Red infections restarted, the situation is getting rapidly worse. The worm has gone worldwide again, infecting vulnerable web sites at an increasing rate. The number of infected servers almost doubles every hour, and has passed 20,000 infected machines.In comparison, on 19th of July, Code Red infected around 300,000 servers, and was only stopped because the worm stopped infections by itself. This time around the worm won't stop spreading for another three weeks.

UPDATE ON 1ST OF AUGUST, 2001

By 12:00 GMT, 12 hours after the new spreading phase for the Code Red worm restarted, no visible effects of the worm could be seen. The worm did restart spreading, as feared, but initial rate of infections was not very fast.The worm might gain more ground later on, but it's likely that the number of reinfected web servers will be lower than in July, and effects of the worm to general public will be minimal.

Propagation

Code Red is a worm that exploits a security hole in Microsoft Internet Information Server (IIS) to spread. When it infects a server it starts to scan for other vulnerable servers and infects them. During a certain period of time the worm only spreads, then it initiates a Denial-of-Service (DoS) attack against www1.whitehouse.gov and finally suspends all the activities.

This repeats every month. The time zone in the above picture is GMT.The worm can resume into infection phase at midnight July 31st, if there is infected servers in the Internet with incorrect date settings causing that they already are scanning for vulnerable hosts; or the worm is restarted manually by a malicious party.The front page of an infected server might have been changed by the worm to following:






SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More