Home > Threat descriptions >



Category: Malware

Type: Worm

Aliases: Worm:W32/CodeRed


This is original Code Red web worm (the A variant) found originally in July 2001.


Microsoft has released a patch that addresses the vulnerability used by this worm. Apply the security patch for this vulnerability from:

Then reboot the server. Since the worm's code is not written to a hard disk (it exists only in memory) rebooting will eliminate the infection completely.

Knowledge Base

Find the latest advice in our Community Knowledge Base.

About the product

See the manual for your F-Secure product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details


By 15:00 GMT, 15 hours after widespread Code Red infections restarted, the situation is getting rapidly worse. The worm has gone worldwide again, infecting vulnerable web sites at an increasing rate. The number of infected servers almost doubles every hour, and has passed 20,000 infected machines. In comparison, on 19th of July, Code Red infected around 300,000 servers, and was only stopped because the worm stopped infections by itself. This time around the worm won't stop spreading for another three weeks.


By 12:00 GMT, 12 hours after the new spreading phase for the Code Red worm restarted, no visible effects of the worm could be seen. The worm did restart spreading, as feared, but initial rate of infections was not very fast. The worm might gain more ground later on, but it's likely that the number of reinfected web servers will be lower than in July, and effects of the worm to general public will be minimal.


Code Red is a worm that exploits a security hole in Microsoft Internet Information Server (IIS) to spread. When it infects a server it starts to scan for other vulnerable servers and infects them. During a certain period of time the worm only spreads, then it initiates a Denial-of-Service (DoS) attack against www1.whitehouse.gov and finally suspends all the activities.

This repeats every month. The time zone in the above picture is GMT. The worm can resume into infection phase at midnight July 31st, if there is infected servers in the Internet with incorrect date settings causing that they already are scanning for vulnerable hosts; or the worm is restarted manually by a malicious party. The front page of an infected server might have been changed by the worm to following:

Date Created: -

Date Last Modified: -