Code Red: “I’ll Be Back!”

Computer security organizations, ranging from the Federal Bureau of
Investigation’s National Infrastructure Protection Center (NIPC) to the
Computer Emergency Response Team Coordination Center (CERT/CC), said Sunday
they fear a relaunch of the Code
Red
worm which attacked servers around the world on July 19.

“We really need to get the word on the street exactly how detrimental Code Red can be to our systems,” said Dave McCurdy, executive director of the Internet Security Alliance, one of the groups that issued the warning. “It poses a serious potential threat, but one that can be avoided with the proper precautions.”

McCurdy added, “We’re doing everything possible to ensure all users of the Internet — especially small businesses and individual users who may not yet be aware of Code Red — have the tools they need to safeguard their systems.”


Code Red attacks servers running Microsoft’s IIS 4.0 and 5.0 Web server
software. It propagates rapidly — it infected 250,000 systems in nine hours
on July 19 — by spawning 100 threads that scan the Internet for vulnerable
servers and installing itself on those systems. As the worm multiplies and
the scanning escalates, the worm causes massive latency across the Internet.

It also checks for the existence of the file c:notworm, which it leaves
behind in an infected system. If it finds the file, Code Red goes dormant.


It then checks whether the Web site the server is running is in English. If
so, it defaces the page with the message: “Hello! Welcome to
http://www.worm.com! Hacked By Chinese!”


The worm entered another stage at 8 p.m. EDT on July 20, when it stopped
propagating and every worm in existence sent 100 connections to port 80 of
the www.whitehouse.gov page.

The security organizations believe it is likely to begin spreading again on
Tuesday.

“Code Red is likely to start spreading again on July 31st, 2001 8 p.m. EDT
and has mutated so that it may be even more dangerous,” the groups, which
include Microsoft, the NIPC, the Federal Computer Incident Response Center, Information
Technology Association of America, CERT/CC, SANS Institute, Internet
Security Systems and Internet Security Alliance, warned in a jointly
published alert. “This spread has the potential to disrupt business and
personal use of the Internet for applications such as electronic commerce,
e-mail and entertainment.”

The worm only affects Windows NT or Windows 2000 systems running the IIS Web
server software. Windows 95, Windows 98 and Windows Me are not affected.


Microsoft last month published a patch which will protect vulnerable
systems. The patch for Windows NT 4.0 is available here, and the patch for Windows 2000 Professional, Server and Advanced Server
is available here.

News Around the Web