CodeRed II

As of March 11, 2003, Symantec Security Response has confirmed that a new minor variant of CodeRed II has been found in the wild. This variant, CodeRed.F, differs in only two bytes from the original CodeRed II. Symantec Antivirus definitions will detect this variant as CodeRed Worm. The existing CodeRed Removal Tool will correctly detect and clean this new variant.

CodeRed II was discovered on August 4, 2001. It has been called a variant of the original CodeRed Worm because it uses the same "buffer overflow" exploit to propagate to other Web servers. Symantec Security Response received reports of a high number of infected IIS Web servers. CodeRed II is considered to be a serious threat.

For information on the detection and removal of the original CodeRed Worm, and to learn more about how other Symantec products can protect your system, refer to the Additional Information section of the CodeRed Worm document.

Refer to "Using Symantec Technologies to combat CodeRed" for more information on best leveraging Symantec technologies.

The original CodeRed had a payload that caused a Denial of Service (DoS) attack on the White House Web server. CodeRed II has a different payload that allows its creator to have full remote access to the Web server.

Security Response has created a tool to perform a vulnerability assessment of your computer and remove CodeRed Worm and CodeRed II.

If you are running the Microsoft IIS Server, we strongly recommended that you apply the latest Microsoft patch to protect your system from this worm. The patch can be found at http://www.microsoft.com/technet/security/bulletin/MS01-033.asp.

A cumulative patch for IIS, which includes the four patches released to date, is available at http://www.microsoft.com/technet/security/bulletin/MS01-044.asp.

Norton AntiVirus is able to detect an infection on the Web server by detecting the payload (Trojan component) of this worm as Trojan.VirtualRoot. This Trojan takes advantage of a vulnerability in Windows 2000. Download and install the following Microsoft security patch to address this problem and stop the Trojan from re-infecting the computer: http://www.microsoft.com/technet/security/bulletin/MS00-052.asp.



Once CodeRed II attacks a computer, it is difficult to determine what else the computer has been exposed to.

In most cases, changes-other than those made by the threat-will not have occurred. However, the author of the threat may have been able to use the threat to access the computer to make changes to it.

Unless you can be absolutely sure that malicious activity has not been performed on the computer, we recommend completely re-installing the operating system.