RealTime IT News

Code Red Spreads Across Web

A new worm known as "Code Red" has been spreading around the Net defacing Web pages by infecting servers running Microsoft Corp.'s Internet Information Services (IIS) Web server.

eEye Digital Security said the worm is similar to the sadmind/IIS worm that propagated near the end of the U.S.-China hacker skirmishes in May. Code Red tries to exploit a buffer overflow in the IIS application programming interface that Microsoft patched last month (The patch may be found here). Once it infects a server it attempts to:

  • Spawn 100 threads that scan servers running a vulnerable version of IIS
  • Check for the existence of the c:notworm file (which it creates); if it finds c:notworm then it does not propagate itself to other hosts
  • Defaces Web pages with the message: Hello! Welcome to http://www.worm.com! Hacked By Chinese!

To recover an infected system, patch IIS, remove the file c:notworm and restore the defaced Web files from a recent backup.