Symantec offers free toolkit to counter CodeRed
Corporations worldwide infected by virus CodeRed Worm
MUMBAI -- August 6, 2001
|
WHAT: |
CodeRed.v3 (CodeRed.C) was discovered on Aug 4, 2001. It
has been called a variant of the original CodeRed because it uses the same
"buffer overflow" exploit to propagate to other web servers. Symantec
AntiVirus Research Center (SARC) received reports of a high number of IIS
web servers being infected. Symantec is assessing CodeRed.v3 to be a high
threat.
|
|
CHARACTERISTICS |
The original CodeRed had a payload that will cause a denial of service
attack on the white house web server. The variant called CodeRed.v3 has a
different payload that allows the hacker to have full access of the web
server remotely.
The CodeRed worm affects systems running Microsoft Index Server 2.0 or
the Windows 2000 Indexing service. This worm only compromises computers
running IIS 4.0 and IIS 5.0 on Windows NT and Window 2000 operating
systems. CodeRed.v3 can establish more than 300 processes to search for
other vulnerable servers to spread itself to.
Symantec is seeing a larger number of infections of CodeRed.v3 than the
original version and this number is steadily increasing. This is because
CodeRed.v3 has the ability to probe a larger number of IP addresses than
the original version. This is causing an increase in the amount of
activity on the Internet and a slowing down of the
Internet. |
|
RECOMMENDATIONS
/PROTECTION: |
Symantec is offering a free tool called Symantec Security Check to
determine if your computer is at risk. The tool is available free on the
Symantec website www.symantec.com For
organisations running Microsoft’s IIS server, it is strongly recommended
to apply the latest Microsoft patch for protection from this worm. The
patch can be found at: http://www.microsoft.com/technet/security/bulletin/MS01-033.asp
Norton AntiVirus is able to detect an infection on
the web server by detecting the payload (torjan component) of this worm as
Trojan.VirtualRoot.
Organisation that previously applied the patch are not at risk. Those
that have not yet applied the patch will need to do so as soon as possible
and if they have been attacked they will also need to clean up the Trojan
that may be on their systems which will open their server to a possible
hack attack even after they have applied the Microsoft patch.
We believe the new CodeRed.v3 worm was developed by a virus writing
group from Europe called 29A. A more detailed write-up is available at
http://www.symantec.com/avcenter/venc/data/codered.v3.html
Symantec is the only Internet security solutions provider to offer a
comprehensive protection against the CodeRed attack. |
|
ABOUT SYMANTEC ANTIVIRUS RESEARCH CENTRE
(SARC): |
SARC is one of the industry’s largest dedicated teams of virus experts.
With offices located in the United States, Japan, Australia and the
Netherlands, the sun never sets on SARC. The center’s mission is to
provide swift, global responses to computer virus threats, proactively
research and develop technologies that eliminate such threats and educate
the public on safe computing practices. As new computer viruses appear,
SARC develops identification and detection for these viruses and provides
either a repair or delete operation, thus keeping users protected against
the latest virus threats. |
|
ABOUT SYMANTEC: |
Symantec, a world leader in Internet security technology, provides a
broad range of content and network security solutions to individuals and
companies. The company is a leading provider of virus protection, risk
management, Internet content and email filtering, and mobile code
detection technologies to enterprise customers. Headquartered in
Cupertino, Calif., Symantec has worldwide operations in more than 24
countries.
NOTE TO EDITORS: If you would like additional information on
Symantec Corporation and its products, please view the Symantec Press
Centre.
Brands and products referenced herein are the trademarks or registered
trademarks of their respective holders. |
|
