1. /
  2. Security Response/
  3. CodeRed II

CodeRed II

Risk Level 2: Low

Discovered:
August 4, 2001
Updated:
February 13, 2007 11:37:00 AM
Also Known As:
CodeRed.v3, CodeRed.C, CodeRed III, W32.Bady.C, CodeRed.F
Type:
Trojan Horse, Worm
Systems Affected:
Microsoft IIS
CVE References:
CVE-2001-0500 CVE-2001-0506


As of March 11, 2003, Symantec Security Response has confirmed that a new minor variant of CodeRed II has been found in the wild. This variant, CodeRed.F, differs in only two bytes from the original CodeRed II. Symantec Antivirus definitions will detect this variant as CodeRed Worm. The existing CodeRed Removal Tool will correctly detect and clean this new variant.

CodeRed II was discovered on August 4, 2001. It has been called a variant of the original CodeRed Worm because it uses the same "buffer overflow" exploit to propagate to other Web servers. Symantec Security Response received reports of a high number of infected IIS Web servers. CodeRed II is considered to be a serious threat.

For information on the detection and removal of the original CodeRed Worm, and to learn more about how other Symantec products can protect your system, refer to the Additional Information section of the CodeRed Worm document.

Refer to "Using Symantec Technologies to combat CodeRed" for more information on best leveraging Symantec technologies.

The original CodeRed had a payload that caused a Denial of Service (DoS) attack on the White House Web server. CodeRed II has a different payload that allows its creator to have full remote access to the Web server.

Security Response has created a tool to perform a vulnerability assessment of your computer and remove CodeRed Worm and CodeRed II.

If you are running the Microsoft IIS Server, we strongly recommended that you apply the latest Microsoft patch to protect your system from this worm. The patch can be found at http://www.microsoft.com/technet/security/bulletin/MS01-033.asp.

A cumulative patch for IIS, which includes the four patches released to date, is available at http://www.microsoft.com/technet/security/bulletin/MS01-044.asp.

Norton AntiVirus is able to detect an infection on the Web server by detecting the payload (Trojan component) of this worm as Trojan.VirtualRoot. This Trojan takes advantage of a vulnerability in Windows 2000. Download and install the following Microsoft security patch to address this problem and stop the Trojan from re-infecting the computer: http://www.microsoft.com/technet/security/bulletin/MS00-052.asp.



Once CodeRed II attacks a computer, it is difficult to determine what else the computer has been exposed to.

In most cases, changes-other than those made by the threat-will not have occurred. However, the author of the threat may have been able to use the threat to access the computer to make changes to it.

Unless you can be absolutely sure that malicious activity has not been performed on the computer, we recommend completely re-installing the operating system.


Antivirus Protection Dates

  • Initial Rapid Release version August 5, 2001
  • Latest Rapid Release version pending
  • Initial Daily Certified version pending
  • Latest Daily Certified version pending
  • Initial Weekly Certified release date August 5, 2001
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Threat Assessment

Wild

  • Wild Level: Low
  • Number of Infections: More than 1000
  • Number of Sites: More than 10
  • Geographical Distribution: Medium
  • Threat Containment: Difficult
  • Removal: Moderate

Damage

  • Damage Level: Medium

Distribution

  • Distribution Level: High
Writeup By: Peter Szor, Eric Chien

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report, Volume 17
Symantec DeepSight Screensaver