The worm, which has been in a dormant phase, will re-awaken August 1, 2001 and is thought to be more dangerous the second time around. Code Red spreads by scanning the Internet for vulnerable IIS systems, and it is this scanning activity which has the potential to degrade service across the entire Internet. A patch issued by Microsoft removes the IIS scanning vulnerability in Windows NT and 2000. Users of Microsoft Windows 95, Windows 98, or Windows Me are not affected by the Code Red worm.
History
The Code Red worm, named after a high-caffeine cola from Mountain Dew, exploits a known vulnerability in ida.dll, a component of the Index Server that provides support for .ida and .idq files. In Microsoft's IIS 4.0 and 5.0, ida.dll is subject to buffer overruns, allowing a malicious user to exploit rogue code and gain access to the server. Microsoft originally posted a patch for this vulnerability on June 18, 2001.
However, not all the affected IIS systems were patched. Within a few hours on July 19th, the Code Red worm spread to more than 250,000 machines worldwide. The worm, believed to have started at a university in Guangdong, China, searches out ida.dll vulnerable systems by chosing random Internet addresses and defaces some infected Web sites with the phrase "Hacked by Chinese." The original outbreak of the worm was to have launched a denial-of-service attack upon www.whitehouse.gov, but the White House changed its numerical address and avoided the attack. Code Red continued to spread from July 20th to July 27th when it went dormant.
Variations of the worm have been seen in the wild and reported to BugTraq. In a rare move, the government is joining with Microsoft to encourage all users of Windows NT and 2000 to install the security patch. Users of the beta version of Windows XP should contact Microsoft directly for more information.
Prevention
The worm can be removed by rebooting an infected system, however that solution does not guard against infection again at a later time. Therefore, Microsoft has a created a security patch for the following systems: Windows NT version 4.0 and Windows 2000 Professional, Server and Advanced Server. In addition, Symantec has a free tool to scan your system for signs of infection.
Additional information regarding the patch can be found on Microsoft's Web site. Also, Digital Island has detailed step-by-step instructions for installing the patches and safeguarding your system.
