1. /
  2. Security Response/
  3. CodeRed Worm

CodeRed Worm

Risk Level 2: Low

Discovered:
July 16, 2001
Updated:
February 13, 2007 11:36:53 AM
Also Known As:
W32/Bady, I-Worm.Bady, Code Red, CodeRed, W32/Bady.worm
Type:
Worm
Systems Affected:
Microsoft IIS
CVE References:
CVE-2001-0500 CVE-2001-0506


CodeRed Worm Update: August 10, 2001 (9:00 AM Pacific):
Symantec Security Response has created a removal tool to perform a vulnerability assessment of your computer and remove the CodeRed Worm and CodeRed II.

CodeRed Worm Update: August 5, 2001 (12:00 AM Pacific):
A variant of the CodeRed Worm has been detected as CodeRed II. Click here for more information.

CodeRed Worm Update: July 31, 2001 (1:00 PM Pacific):
Computers that were infected by CodeRed have stopped propagating this worm as of July 28, 2001, due to its logic of going into infinite sleep mode. Although there was much speculation as to whether this worm would wake up again on August 1, 2001, Symantec Security Response's analysis of the CodeRed worm indicates that a re-infection will not re-awaken already infected computers.

If the worm is once again injected into the Internet, it can only affect computers that still have the vulnerability on the Web server. Previously infected computers can be re-infected if they have not been patched. Symantec Security Response advises users of IIS4.0 and 5.0 to apply the Microsoft patch before August 1. Security Response will continue to monitor CodeRed activities on the Internet and will post updates to this page when available.

The CodeRed Worm affects Microsoft Index Server 2.0 and the Windows 2000 Indexing service on computers running Microsoft Windows NT 4.0 and Windows 2000, which run IIS 4.0 and 5.0 Web servers. The worm uses a known buffer overflow vulnerability contained in the Idq.dll file. Information about this vulnerability and a Microsoft patch is located at: http://www.microsoft.com/technet/security/bulletin/MS01-033.asp.

A Cumulative Patch for IIS that includes the four patches released to date is available at: http://www.microsoft.com/technet/security/bulletin/MS01-044.asp.

System administrators are encouraged to apply the Microsoft patch to prevent infection of this worm and other unauthorized access.

For information on the various ways to check for this threat and the underlying vulnerability, or if you are using Symantec Enterprise Firewall, refer to the Additional Information section below.

C-lick here for information on how to best leverage Symantec technologies to combat the CodeRed threat.




Symantec offers multiple options to check for this threat and the underlying vulnerability.

Home users
  • Symantec Security Check is a tool that allows you to determine whether your computer is at risk. Click here to begin a free online scan.
  • "FixCodeRed Assessment Tool" is a free downloadable tool that allows you to determine whether your computer is at risk. If a vulnerability is found, the tool will scan the memory to determine whether the worm exists.
  • Norton Internet Security is Symantec's integrated security and privacy suite that has been updated with a new rule that blocks suspected outbound data traffic from the IIS server. This new rule can be applied to Norton Internet Security by running LiveUpdate.

Corporate users
  • Symantec Security Check is a free tool that allows you to determine whether your computer is at risk. Click here to begin a free online scan.
  • "FixCodeRed Assessment Tool" is a free downloadable tool that allows you to determine whether your computer is at risk. If a vulnerability is found, the tool will scan the memory to determine whether the worm exists.
  • Enterprise Security Manager (ESM) is a Symantec policy compliance and vulnerability management system that helps manage security patch update functions through the ESM patch module. Two patch templates are available that detect this vulnerability on Windows NT 4.0 and Windows 2000 servers. Download q300972.zip, and then extract the templates into the ESM Manager's /esm/template folder.
  • NetProwler is Symantec's network-based intrusion detection tool. With Security Update 8 installed, it will detect attempts to attack your IIS 4.0 and 5.0 servers that use this vulnerability. You can download NetProwler SU8 by running the product's auto update feature.
  • Symantec Enterprise Firewall is Symantec's application inspection firewall. By default, it blocks suspected outbound data traffic from Web servers like IIS. When running on the firewall's service network, it stops the propagation of this, as well as other types of attacks. See the section labeled Expanded Symantec Enterprise Firewall information below for more information about these default settings.
  • NetRecon, Symantec’s network vulnerability assessment tool, has been updated to detect this vulnerability. The tool checks the Microsoft IIS Index Service and will notify you if your IIS Server is exposed to the threat. Click here for more information.

You cannot reliably detect an infection by searching for a specific file, such as C:\Notworm, or by viewing HTML files of defaced Web pages, because the worm runs only in memory and never directly writes any information to your hard drive. For more information, see the "Technical Details" section. Also, it is unreliable to search for traces of the worm in log files, as even patched computers may contain log entries of previous attacks. Therefore, Symantec highly recommends applying the Microsoft patch, rather than relying on such methods of detection.

The worm spreads by using HTTP requests. This code exploits a known buffer-overflow vulnerability, which allows the worm to run on your computer. The code is not saved as a file, but is inserted into and run directly from memory. Applying the Microsoft patch and then restarting the computer will remove the worm and prevent further infections.

In addition to seeking new host computers to attack, the worm may attempt a DoS attack. Also, the worm creates multiple threads, which can cause instability on your computer.

Finally, unpatched Cisco products and other services listening on port 80, such as Hewlett Packard JetDirect cards, may be vulnerable to the attack, or result in a DoS, due to port scans.


Expanded Symantec Enterprise Firewall information

Symantec Enterprise Firewall, VelociRaptor Firewall appliance, and Symantec Raptor Firewall provide a combination of protections, including "protect by default" security configurations, third-generation application inspection technology, and automatic initial and ongoing system hardening, to ensure that our firewall protects your network. In this case, the "protect by default" approach has again benefited our customers and the Internet community at large by helping to stop the propagation of the recent CodeRed Worm. You will automatically, and by default, prevent the propagation of this worm by using any of these firewalls where your public Web servers are located on the firewall's "service" network. We recommend that you double-check your configurations to ensure that rules were not added to allow Web servers on your service network that make outgoing Web requests. Since this is uncommon, changes to your Symantec Gateway Firewall should not be necessary.

If you have public Web servers on the firewall's "internal" network, Symantec recommends adding a rule to the firewall that prevents any of your Web servers from making outgoing Web requests. Since Web servers typically only need to accept incoming Web requests and do not need to make outgoing Web requests, this should not have a negative impact on your daily operations. This change will improve the overall security of your network and help prevent the propagation of this worm. In addition, we recommend that you review your network configuration and Web-server deployment. For the best possible protection, we also recommend that all publicly accessible servers be on the firewall's service network and not on the internal network.

For additional information, see the document Symantec Enterprise Security Solutions protect against the Microsoft Windows IIS Index Server ISAPI System-level Remote Access Buffer Overflow.

To determine whether your server has been patched, Microsoft provides the IIS 5.0 Hotfix Checking Tool, located at:

http://www.microsoft.com/Downloads/Release.asp?ReleaseID=24168

Cisco's advisory regarding affected products can be found at:

http://www.cisco.com/warp/public/707/cisco-code-red-worm-pub.shtml

Microsoft tool
Microsoft has created a Tool to Remove Obvious Effects of the Code Red II Worm.

Antivirus Protection Dates

  • Initial Rapid Release version July 17, 2001
  • Latest Rapid Release version September 28, 2010 revision 054
  • Initial Daily Certified version July 17, 2001
  • Latest Daily Certified version September 28, 2010 revision 036
  • Initial Weekly Certified release date pending
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Threat Assessment

Wild

  • Wild Level: Low
  • Number of Infections: More than 1000
  • Number of Sites: More than 10
  • Geographical Distribution: Low
  • Threat Containment: Easy
  • Removal: Easy

Damage

  • Damage Level: Medium

Distribution

  • Distribution Level: Medium
Writeup By: Eric Chien

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report, Volume 17
Symantec DeepSight Screensaver