A new worm known as “Code Red” has been spreading around the Net defacing
Web pages by infecting servers running Microsoft Corp.’s Internet
Information Services (IIS) Web server.
eEye Digital Security said the worm is similar to the sadmind/IIS worm that
propagated near the end of the U.S.-China hacker skirmishes in May. Code Red tries to exploit a buffer overflow in the
IIS application programming interface that Microsoft patched last month (The
patch may be found here). Once it infects a server it attempts
to:
- Spawn 100 threads that scan servers running a vulnerable version of IIS
- Check for the existence of the c:notworm file (which it creates); if it
finds c:notworm then it does not propagate itself to other hosts - Defaces Web pages with the message: Hello! Welcome to
http://www.worm.com! Hacked By Chinese!
To recover an infected system, patch IIS, remove the file c:notworm and
restore the defaced Web files from a recent backup.