CodeRed.F
Discovered on: March 11, 2003
Last Updated on: March 12, 2003 02:59:25 AM
As of March 11, 2003, Symantec Security Response has confirmed that a new minor variant of CodeRed II has been found in the wild.
This variant differs in only two bytes from the original CodeRed II. CodeRed II would reboot the system if the year was greater than 2001. This is no longer the case in this variant.
Symantec Antivirus definitions will detect this variant as CodeRed Worm if saved to a file. The worm also drops a trojan, which will be detected as Trojan.VirtualRoot. The existing CodeRed Removal Tool will correctly detect and clean this new variant.
Please click here for information on how best to leverage Symantec technologies to combat the CodeRed threat.
The worm scans IP addresses for vulnerable Microsoft IIS 4.0 and 5.0 web servers and uses a buffer overflow vulnerability to infect remote machines. The worm injects itself directly into memory, rather than copying itself over as a file on the system. In addition, CodeRed.F creates a file detected as Trojan.VirtualRoot. Trojan.VirtualRoot gives the hacker full remote access to the Web server.
If you are running Microsoft IIS Server, it is strongly recommended that you apply the latest Microsoft patch to protect yourself from this worm. The patch can be found at
http://www.microsoft.com/technet/sec.../MS01-033.asp.
A cumulative patch for IIS that includes the four patches released to date is available at
http://www.microsoft.com/technet/sec.../MS01-044.asp.
In addition, Trojan.VirtualRoot takes advantage of a vulnerability in Windows 2000. Download and install the following Microsoft security patch to address that problem and to stop the Trojan from reinfecting the computer:
http://www.microsoft.com/technet/sec...n/MS00-052.asp
Also Known As: CodeRed.v3, CodeRed.C, CodeRed III, W32.Bady.C, W32/CodeRed.a.worm [McAfee]
Type: Trojan Horse, Worm
Systems Affected: Microsoft IIS
CVE References: CVE-2001-0500, CVE-2001-0506