New Worm On the Loose
Page 1 of 1
A new worm, aping the injection vector of the now infamous Code Red worm but carrying a much more dangerous payload, was found in the wild Sunday according to security firms Security Focus and eEye Digital Security.
"There is in fact a completely brand new worm loose on the net right now," said Ryan Permeh and Marc Maiffret of Eye Digital Security in an analysis Sunday morning. "It uses the same injection vector as the first Code Red worm, however, this second worm has a completely different payload than the first worm. Therefore, this second worm is not a variant of the first Code Red worm."
Like the Code Red worm, this worm exploits a buffer overflow in Microsoft Corp.'s IIS 4.0 and 5.0 Web server software. But this worm has been designed to scour far more IP addresses than Code Red -- allowing it to spread much further -- while at the same time causing more data to sent across networks, increasing the possibility of massive latency. But the worm doesn't stop there. It also delivers a trojan designed to dump root.exe (cmd.exe) and create backdoors into an infect system that allow an attacker to remotely access that server.
However, though it is a different worm, the fix is the same. Microsoft's patch, released in June, blocks the worm. This worm only infects Windows 2000 systems. The worm will simply crash a vulnerable NT 4.0 system.
"Diligent prevention is the key to fighting attacks using the Internet like the Code Red and Code Red II worms," said Ken Klein, chief operating officer at Mercury. "If an organization misses even one machine in their infrastructure, they leave the door open to infection -- or to potential infiltration. ActiveTest SecureCheck can very quickly determine if a system is vulnerable."
To schedule a free scan or get more information, visit the site, or call mercury at 800-TEST911 in the U.S., 1-408-822-5200 internationally.