As of March 11, 2003, Symantec Security Response has confirmed that a new minor variant of CodeRed II
has been found in the wild.
CodeRed.F differs in only two bytes than the original CodeRed II. CodeRed II will restart the system if the year is greater than 2001. This is no longer the case for this variant.
Symantec antivirus products detect CodeRed.F as CodeRed Worm
if it is saved to a file. The worm also drops a Trojan, which will be detected as Trojan.VirtualRoot
. The existing CodeRed Removal Tool
will correctly detect and remove this new variant.
Please click here
for information on how to best leverage Symantec technologies to combat the CodeRed threat.
CodeRed.F scans IP addresses for vulnerable Microsoft IIS 4.0 and 5.0 Web servers and uses a buffer overflow vulnerability to infect the remote computers. The worm injects itself directly into memory, rather than copying itself as a file on the system. In addition, CodeRed.F creates a file detected as Trojan.VirtualRoot
. Trojan.VirtualRoot gives the hacker full remote access to the Web server.
If you are running the Microsoft IIS Server, we recommend that you apply the latest Microsoft patch to protect yourself from this worm. The patch can be found at http://www.microsoft.com/technet/security/bulletin/MS01-033.asp
A cumulative patch for IIS, including the four patches released to date, is available at http://www.microsoft.com/technet/security/bulletin/MS01-044.asp
In addition, Trojan.VirtualRoot takes advantage of a vulnerability in Windows 2000. Download and install the following Microsoft security patch to address this problem and stop the Trojan from re-infecting the computer: http://www.microsoft.com/technet/security/bulletin/MS00-052.asp
Once CodeRed.F attacks a computer, it is difficult to determine what else the computer has been exposed to.
In most cases, changes—other than those made by CodeRed.F or the dropped Trojan—will not have occurred. However, a hacker may have been able to use the Trojan to access the computer to make changes to it.
Unless you can be absolutely sure that malicious activity has not been performed on the computer, we recommend completely re-installing the operating system.
Click for a more detailed description of Rapid Release and Daily Certified virus definitions.