Symantec - australia / new zealand
 global sites
products
purchase
service and support
security updates
downloads
about symantec
search
feedback


© 1995-2006 Symantec Corporation.
All rights reserved.
Legal Notices
Updated Privacy Policy
press centre

CodeRed.F - new variant - Level Three

SYDNEY --NSW - March 12, 2003 -- On March 12, 2003, Symantec Security Response confirmed that a new minor variant of CodeRed II has been found in the wild -- CodeRed.F. This variant differs in only two bytes from the original CodeRed II. This variant will not reboot the computer and it will remain active in memory as long as the system is rebooted. Symantec AntiVirus definitions will detect this variant as CodeRed Worm. Symantec Security Response has also created a tool to perform a vulnerability assessment of computers and to remove CodeRed Worm and CodeRed II. Symantec's network intrusion detection product, ManHunt detects CodeRed with both Hybrid signatures and normal anomaly detection.

Symantec Security Response is categorising CodeRed.F as a level three threat.

CodeRed II was discovered on August 4, 2001. It has been called a variant of the original CodeRed Worm because it users the same "buffer overflow" exploit to propagate to other Web servers. Symantec Security Response received reports of a high number of IIS Web servers that were infected.

CodeRed II has a payload that allows the hacker to have full remote access to the Web server. It is considered to be a high threat. Security Response recommends that organisations running Microsoft IIS Server apply the latest Microsoft patch to protect their networks from this worm. The patch is available at http://www.microsoft.com/technet/security/bulletin/MS01-033.asp. A cumulative patch for IIS that includes the four patches released to date is available at http://www.microsoft.com/technet/security/bulletin/MS01-044.asp.

Symantec's Norton AntiVirus is able to detect an infection on the Web server by detecting the payload (Trojan component) of this worm as Trojan.VirtualRood. This Trojan takes advantage of a vulnerability in Windows 2000. Download and install the following Microsoft security patch to address that problem and to stop the Trojan from reinfecting the computer: http://www.microsoft.com/technet/security/bulletin/MS00-052.asp.

About Symantec
Symantec, the world leader in Internet security technology, provides a broad range of content and network security software and appliance solutions to individuals, enterprises and service providers. The company is a leading provider of client, gateway and server security solutions for virus protection, firewall and virtual private network, vulnerability management, intrusion detection, Internet content and e-mail filtering, remote management technologies and security services to enterprises and service providers around the world. Symantec's Norton brand of consumer security products is a leader in worldwide retail sales and industry awards. Headquartered in Cupertino, Calif., Symantec has worldwide operations in 38 countries. For more information, please visit www.symantec.com.au

NOTE TO EDITORS: Symantec and the Symantec logo are trademarks or registered trademarks, in the United States and certain other countries, of Symantec Corporation. Additional company and product names may be trademarks or registered trademarks of the individual companies and are respectfully acknowledged.