Information about the original CodeRed worm is available below (CodeRed.A).
F-Secure is upgrading CodeRed.F to level 2. This variant will reinfect
unprotected IIS Web servers, most of which were already infected
earlier by CodeRed II. We're not expecting this to become as big as it
was in 2001.
The new variant of the CodeRed worm CodeRed.F has been spreading in
the wild since March 11th, 2003. This is more than 18 months after the
original CodeRed worm spread across the world faster than any worm
before it.
However, since CodeRed.F still uses the old exploit to infect IIS Web
Servers, the number of vulnerable machines is not too high. Most of
them are forgotten web servers or home machines without firewall.
CodeRed.F is almost identical to CodeRed II, with just two bytes
changed. CodeRed II stopped spreading in in the end of 2002 - the
change in CodeRed.F changes this and enables it to spread forever.
Just like CodeRed II, this worm will install a backdoor to infected
web server, enabling any web surfer to easily execute commands on the
server by just typing them in a special URL.
REMOVAL
Microsoft has shipped a tool to eliminate the obvious damage caused by
CodeRed II worm.
Information about the original Code Red worm is available below (CodeRed.A).
Third variant of the Code Red worm has been spreading in the wild since
August 4th, 2001. It targets Microsoft IIS www servers, and does not pose
a threat to end users.
CodeRed II is a rewritten version of the original Code Red worm. It
uses the same IIS hole to gain access on the web server and then
continues to find new vulnerable systems.
Interestingly, Code Red II has been programmed to spread more aggressively
in China than anywhere else. This might be in relation to the Chinese
references in the original worm.
The most important feature of Code Red II is that it installs a backdoor
into systems it infects.
This is accomplished by copying the standard Windows
NT/2000 command interpreter "cmd.exe" into web server's "scripts"
directory. As a result, any web surfer can now execute commands on any
infected www site just by typing suitable URLs to the web location.
Below, a 'DIR' directory listing command has been executed.
TECHNICAL INFORMATION
When a host gets infected it starts to scan for other hosts
to infect. It probes random IP addresses but the code is
designed so that probing of neighbour hosts is more probable.
If the infected system has the language set to Chinese the
worm starts more aggressive scanning (600 threads instead
of 300). The scanning runs for 24 hours after the infection
(48 for Chinese machines) and then the system is rebooted.
There is a time limit in the code that will stop the worm on
the 1st of October. At that time it will reboot the machine
and stop spreading. The installed trojan still remains in
the system!
The worm drops a trojan program to '\explorer.exe' that
modifies different some IIS settings to allow a remote attack
of the infected host. The standard command interpreter 'cmd.exe'
is copied to '\inetpub\scripts\root.exe' and to
'\progra~1\common~1\system\MSADC\root.exe'. The worm creates
these files to both 'C:' and 'D:' drives if they exist. These
copies of the 'cmd.exe' will allow any attacker to execute
commands on the remote system really easily.
TROJAN PART OF THE CODE
First of all it disables the System File Checker (SFC)
functionality in Windows. SFC is responsible for checking the
integrity of system files.
Two new root directories are added to the IIS configuration:
'/c' that points to 'c:\' and
'/d' that points to 'd:\'.
This makes sure that even if the copies of 'cmd.exe' the worm
made are removed the system can still be compromised.
Modifications to the registry:
'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable'
is set to 0xffffff9d that disables the System File Checker.
',217' is appended to these keys:
'SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\Scripts'
'SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\MSADC'
These keys make 'C:' and 'D:' accessible trough the webserver:
'SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\C'
'SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\C'
REMOVAL INSTRUCTIONS
First apply the neccesary security patches from Microsoft:
The first one fixes the vulnerability the worm uses to spread.
The second one fixes the problem that makes Windows to run
the trojanized 'explorer.exe' from the root folder. Both patches
must be applied.
When the patches are applied the system has to be rebooted to
eliminate the worm itself if it was still active. The following
files must be deleted:
This is original Code Red web worm, found originally in July 2001.
UPDATE ON 1ST OF AUGUST, 2001
By 15:00 GMT, 15 hours after widespread Code Red infections restarted, the situation
is getting rapidly worse. The worm has gone worldwide again, infecting vulnerable
web sites at an increasing rate. The number of infected servers almost doubles every
hour, and has passed 20,000 infected machines.
On comparison, on 19th of July, Code Red infected around 300,000 servers, and was
only stopped because the worm stopped infections by itself. This time around the
worm won't stop spreading for another three weeks.
UPDATE ON 1ST OF AUGUST, 2001
By 12:00 GMT, 12 hours after the new spreading phase for the Code Red worm
restarted, no visible effects of the worm could be seen. The worm did restart
spreading, as feared, but initial rate of infections was not very fast.
The worm might gain more ground later on, but it's likely that the number of
reinfected web servers will be lower than in July, and effects of the worm
to general public will be minimal.
BASIC INFORMATION ON CODE RED WORM
Code Red is a worm that exploits a security hole in Microsoft
Internet Information Server (IIS) to spread. When it infects a
server it starts to scan for other vulnerable servers and infects
them. During a certain period of time the worm only spreads, then
it initiates a Denial-of-Service (DoS) attack against
www1.whitehouse.gov and finally suspends all the activities.
This repeats every month. The time zone in the above picture is GMT.
The worm can resume into infection phase at midnight July 31st, if
there is infected servers in the Internet with incorrect date settings
causing that they already are scanning for vulnerable hosts; or the
worm is restarted manually by a malicious party.
The front page of an infected server might have been changed by
the worm to following:
Removal instructions:
Apply the security patch for this vulnerability from
Then reboot the server. Since the worm's code is not written to a
hard disk (it exists only in memory) rebooting will eliminate the
infection completely.
[Analysis: Gergely Erdelyi, Sami Rautiainen & Mikko Hypponen / F-Secure Corp.; July-August, 2001]
