A new worm, aping the injection vector of the now infamous Code Red worm but
carrying a much more dangerous payload, was found in the wild Sunday
according to security firms Security Focus and eEye Digital Security.
“There is in fact a completely brand new worm loose on the net right now,”
said Ryan Permeh and Marc Maiffret of Eye Digital Security in an analysis
Sunday morning. “It uses the same injection vector as the first Code Red
worm, however, this second worm has a completely different payload than the
first worm. Therefore, this second worm is not a variant of the first Code
Like the Code Red worm, this worm exploits a buffer overflow in Microsoft
Corp.’s IIS 4.0 and 5.0 Web server software. But this worm has been designed
to scour far more IP addresses than Code Red — allowing it to spread much
further — while at the same time causing more data to sent across networks,
increasing the possibility of massive latency. But the worm doesn’t stop
there. It also delivers a trojan designed to dump root.exe (cmd.exe) and
create backdoors into an infect system that allow an attacker to remotely
access that server.
However, though it is a different worm, the fix is the same. Microsoft’s patch, released in June, blocks the worm. This worm only infects
Windows 2000 systems. The worm will simply crash a vulnerable NT 4.0 system.
As far as detection goes, enterprise testing and performance management solutions provider Mercury Interactive Corp. is offering to scan any organization’s Internet infrastructure for both Code Red and Code Red II free of charge.
“Diligent prevention is the key to fighting attacks using the Internet like the Code Red and Code Red II worms,” said Ken Klein, chief operating officer at Mercury. “If an organization misses even one machine in their infrastructure, they leave the door open to infection — or to potential infiltration. ActiveTest SecureCheck can very quickly determine if a system is vulnerable.”
To schedule a free scan or get more information, visit the site, or call mercury at 800-TEST911 in the U.S., 1-408-822-5200 internationally.