KUALA LUMPUR -- August 6, 2001 -- CodeRed.v3 (CodeRed.C) was discovered on Aug 4, 2001. It has been called a variant of the original CodeRed because it uses the same "buffer overflow" exploit to propagate to other web servers. Symantec AntiVirus Research Center received reports of a high number of IIS web servers infected. We are assessing CodeRed.v3 to be a high threat.
The original CodeRed had a payload that will cause a denial of service attack on the white house web server. The variant called CodeRed.v3 has a different payload that allows the hacker to have full access of the web server remotely.
The CodeRed worm affects systems running Microsoft Index Server 2.0 or the
Windows 2000 Indexing service. This worm only compromises computers running
IIS 4.0 and IIS 5.0 on Windows NT and Windows 2000 operating systems. CodeRed.v3 can establish more than 300 processes to search for other vulnerable servers to spread itself to.
Symantec is offering a free tool called Symantec Security Check to determine if your computer is at risk. The tool is available free on the Symantec website www.symantec.com
For organisations running Microsoft's IIS server, it is strongly recommended to apply the latest Microsoft patch for protection from this worm. The patch can be found at:
http://www.microsoft.com/technet/security/bulletin/MS01-033.asp
Norton AntiVirus is able to detect an infection on the web server by detecting the payload (trojan component) of this worm as Trojan.VirtualRoot.
Symantec is seeing a larger number of infections of CodeRed.v3 than the original version and this number is steadily increasing. This is because CodeRed.v3 has the ability to probe a larger number of IP addresses than the original version. This is causing an increase in the amount of activity on the Internet and a slowing down of the Internet.
Organisations that previously applied the patch are not at risk. Those that have not yet applied the patch will need to do so as soon as possible and if they have been attacked they will also need to clean up the Trojan that may be on their systems which will open their server to a possible hack attack even after they have applied the Microsoft patch.
We believe the new CodeRed.v3 worm was developed by a virus writing group
from Europe called 29A.
A more detailed write-up is available at
http://www.symantec.com/avcenter/venc/data/codered.v3.html
Protection:
Symantec is the only Internet security solutions provider to offer a comprehensive protection against the CodeRed attack.
Norton AntiVirus - definitions are available to detect and repair the Trojan that CodeRed.v3 drops, detecting it as Trojan.VirtualRoot.
Enterprise Security Manager - Symantec's policy compliance and vulnerability management system, helps manage security patch update functions. Two new patch templates are available that detect the underlying vulnerability on Windows NT 4.0 and Windows 2000 servers.
NetProwler - Symantec's network-based intrusion detection tool, with Security Update installed, is capable of detecting attempts to attack IIS 4.0 and 5.0 servers through this vulnerability.
Intruder Alert - Symantec's host-based intrusion detection tool, with Security Update installed, is capable of detecting attempts to attack IIS 4.0 and 5.0 servers through this vulnerability.
NetRecon - Symantec's network vulnerability assessment tool will be updated to detect if this vulnerability exists on a system and if so will provide recommendations on how to fix it.
Raptor Firewall - Symantec's enterprise firewall can be configured to block suspect outbound data traffic from the IIS server.
Free "FixCodeR" Assessment Tool - For users who do not have any of the above products, this special tool, available from www.symantec.com/avcenter, detects the presence of the worm on an NT system.
Symantec Web Security - This service, www.symantec.com/securitycheck,
has been updated to scan if a system is vulnerable to this exploit.
ABOUT SYMANTEC ANTIVIRUS RESEARCH CENTRE (SARC)
SARC is one of the industry's largest dedicated teams of virus experts. With offices located in the United States, Japan, Australia and the Netherlands, the sun never sets on SARC. The centre's mission is to provide swift, global responses to computer virus threats, proactively research and develop technologies that eliminate such threats and educate the public on safe computing practices. As new computer viruses appear, SARC develops identification and detection for these viruses and provides either a repair or delete operation, thus keeping users protected against the latest virus threats.
ABOUT SYMANTEC
Symantec, a world leader in Internet security technology, provides a broad range of content and network security solutions to individuals and enterprises. The company is a leading provider of virus protection, firewall and virtual private network, vulnerability management, intrusion detection, Internet content and e-mail filtering, remote management technologies and security services to enterprises around the world. Symantec's Norton brand of consumer security products leads the market in worldwide retail sales and industry awards.
Headquartered in Cupertino, Calif., Symantec has worldwide operations in 37 countries. For more information, please visit our Web site at www.symantec.com.
NOTE TO EDITORS: If you would like additional information on Symantec Corporation and its products, please view the Symantec Press Centre at http://www.symantec.com/region/au_nz/PressCenter/ on Symantec's Web site.
