Code Red: "I'll Be Back!"

By Thor Olavsrud

(Back to article)

Computer security organizations, ranging from the Federal Bureau of Investigation's National Infrastructure Protection Center (NIPC) to the Computer Emergency Response Team Coordination Center (CERT/CC), said Sunday they fear a relaunch of the Code Red worm which attacked servers around the world on July 19.

The FBI has scheduled a Monday press conference at 3 pm ET in Washington to discuss the matter further.

Read More About Network Security
CIN members, click here to read CIN reporter Eva Marer's recent story,"Companies Confront Rising Network Security Threats," and find an accompanying list of links to the Web sites of organizations and government agencies that follow network security issues.

Also, read Meta Group Report: Are Managed Security Services Ready for Prime Time?

Code Red attacks servers running Microsoft's IIS 4.0 and 5.0 Web server software. It propagates rapidly -- it infected 250,000 systems in nine hours on July 19 -- by spawning 100 threads that scan the Internet for vulnerable servers and installing itself on those systems. As the worm multiplies and the scanning escalates, the worm causes massive latency across the Internet.

It also checks for the existence of the file c:notworm, which it leaves behind in an infected system. If it finds the file, Code Red goes dormant.

It then checks whether the Web site the server is running is in English. If so, it defaces the page with the message: "Hello! Welcome to http://www.worm.com! Hacked By Chinese!"

The worm entered another stage at 8 p.m. EDT on July 20, when it stopped propagating and every worm in existence sent 100 connections to port 80 of the www.whitehouse.gov page.

The security organizations believe it is likely to begin spreading again on Tuesday.

"Code Red is likely to start spreading again on July 31st, 2001 8 p.m. EDT and has mutated so that it may be even more dangerous," the groups, which include Microsoft, the NIPC, the Federal Computer Incident Response Center, Information Technology Association of America, CERT/CC, SANS Institute, Internet Security Systems and Internet Security Alliance, warned in a jointly published alert. "This spread has the potential to disrupt business and personal use of the Internet for applications such as electronic commerce, e-mail and entertainment."

The worm only affects Windows NT or Windows 2000 systems running the IIS Web server software. Windows 95, Windows 98 and Windows Me are not affected.

Microsoft last month published a patch which will protect vulnerable systems. The patch for Windows NT 4.0 is available here, and the patch for Windows 2000 Professional, Server and Advanced Server is available here.

Editor's note: Thor Olavsrud is a reporter for InternetNews.com, an internet.com site.