The worm had infected servers responsible for more than 280,000 Web sites overnight, according to security trackers at the SANS Institute. But the number of computers that the worm infects each hour appeared to be declining steadily after an initial burst on Tuesday, according to SANS.
Overnight, the rate of infection had slowed to such an extent that the National Infrastructure Protection Centre (NIPC) had issued a news release stating that agents were "cautiously optimistic" about the worm's demise. They said the impact of the worm's second attack on computer servers worldwide "has been minimised."
Despite the worm's seeming sluggishness, virus experts warn that it could still wreak havoc on vulnerable servers. The worm works on a monthly cycle and will not go back into hibernation for several weeks.
As first reported, the Code Red worm takes advantage of a hole in Microsoft's Internet Information Server (IIS) Web server software running on Windows NT and Windows 2000 systems. Code Red was thought to have infected as many as 359,000 systems within about six days during its original attack in July, making it one of the fastest-spreading worms ever.
The worm remains active between the first of the month and the 28th, when it goes into hibernation. While the worm does not reactivate itself automatically, any computer vandal sending a copy of the worm once the active period begins--most recently at midnight GMT August 1--would start a new round of infections. On the 20th of the month, the worm is set to switch to attack mode and barrage an Internet address originally associated with the White House Web site with large packets of data.
Experts credited massive downloading of a security patch that fixes the IIS vulnerability for hampering the worm's spread this time. The worm only infects computers running the Windows NT and Windows 2000 operating systems and Microsoft's Internet Information Server (IIS) Web server software, meaning few home PCs are vulnerable to the attack.
"The large number of machines that are now patched (has) changed the playing field, but we still anticipate increasingly rapid growth worldwide in the coming days," according to a statement on the Web site of security services company Internet Security Systems (ISS).
"We anticipate remaining at (high alert) through early August but will watch the situation closely and adjust the threat level accordingly."
