W32/CodeRed
| W32/CodeRed |
Destructivity:  Spreading:  Overall risk: 
|
| • Detected by virus detection files published: 11/2/2001 | • Type: Worm |
| • Virus characteristics first published: 11/2/2001 | • Spreading mechanism: Other |
| • Virus characteristics latest update: 12/17/2003 | • Overall risk: Low |
| • Alias: W32/Bady, CodeRed IIS worm, .ida CodeRed Worm | • Payload: |
| • Infection type: Microsoft Windows 95/98/98 SE/ME/NT 4/2000/XP/2003/Vista |
| Virus type |
Spreading mechanism |
Destructivity and payload |
Additional descriptions |
Detection and removal |
||||||||||
|
This is a worm of a new type. The worm exists only as a memory process and is never found as a file on disk. It exploits a security hole in the indexing service in the popular Microsoft Internet Information Server. The vulnerability exists in the following versions:
Microsoft published 18 June 2001 a patch that secures IIS servers from this vulnerability (see below). Only unpatched IIS web servers running the indexing service will be seriously affected by this worm, although a number of unconfirmed anomalies and crashes are reported from other entities like routers, modems with web management features and firewall filters. Note in particular that even though the security flaw is in the Indexing Server part of IIS, all default installations of IIS mentioned above are vulnerable, as the file, which is exploitable, is installed with a default installation of IIS. The worm arrives at the web server as a seemingly innocent HTTP web request. However, IIS Index Service does not handle the request properly, and as a result code in the web request itself is executed with full system level access on the web server. This code again spawns 99 process threads, which attempts to connect to other machines. The IP address of the machines to attack is generated randomly, and will be attempted connected to whether they are running a web server or not. If no web server is running, the connection will simply fail. This process shows that it is possible to have replicating code moving from machine to machine on the net without ever creating a file on the disk. The infection process happens from the 1st to the 19th of every month. From the 20th to 27th of every month, the worm stops attacking random machines, and instead attacks an IP address belonging to whitehouse.gov. This was an attempt to issue a large scale denial-of-service attack on the US White House's web site. From the 28th until the start of next month the worm is dormant. The worm will also go dormant if it finds a file called C:\notworm on the disk. If the worm is running on a machine with English (US) operating system, it will attempt to deface existing web pages with the following text: Welcome to http://www.worm.com ! Variants and new versionsThere are at least three different variants/versions of this worm. Only a few days after the original worm was reported, a new variant was seen in the wild. The main differences from the original worms seem to be:
Some time later a new version of CodeRed was discovered. The latest known variant is significantly different from the two previous ones, as it is much more dangerous. This variant opens a backdoor on the compromized computer, leaving it completely open for commands remotely. In order to be sure that you are not comprimzed, a computer infected by this variant of the CodeRed worm should be reformattet, as there is no other way to be certain that the computer is not infected by other melicious program(s). Detection and removalReboot server if infected. Install patch from Microsoft, found at: http://www.microsoft.com/technet/security/bulletin/MS01-033.asp More information found at: http://www.eeye.com/html/Research/Advisories/AD20010618.html http://www.eeye.com/html/Research/Advisories/AL20010717.html Norman wishes to thank Mr. Marc Maiffret, Chief Hacking Officer at eEye.com, for supplying us with information in this case. |
||||||||||||||