Discovered: July 16, 2001
Updated: February 13, 2007 11:36:53 AM
Also Known As: W32/Bady, I-Worm.Bady, Code Red, CodeRed, W32/Bady.worm
Type: Worm
Systems Affected: Microsoft IIS
CVE References: CVE-2001-0500 CVE-2001-0506



CodeRed Worm Update: August 10, 2001 (9:00 AM Pacific):
Symantec Security Response has created a removal tool to perform a vulnerability assessment of your computer and remove the CodeRed Worm and CodeRed II .

CodeRed Worm Update: August 5, 2001 (12:00 AM Pacific):
A variant of the CodeRed Worm has been detected as CodeRed II. Click here for more information.

CodeRed Worm Update: July 31, 2001 (1:00 PM Pacific):
Computers that were infected by CodeRed have stopped propagating this worm as of July 28, 2001, due to its logic of going into infinite sleep mode. Although there was much speculation as to whether this worm would wake up again on August 1, 2001, Symantec Security Response's analysis of the CodeRed worm indicates that a re-infection will not re-awaken already infected computers.

If the worm is once again injected into the Internet, it can only affect computers that still have the vulnerability on the Web server. Previously infected computers can be re-infected if they have not been patched. Symantec Security Response advises users of IIS4.0 and 5.0 to apply the Microsoft patch before August 1. Security Response will continue to monitor CodeRed activities on the Internet and will post updates to this page when available.

The CodeRed Worm affects Microsoft Index Server 2.0 and the Windows 2000 Indexing service on computers running Microsoft Windows NT 4.0 and Windows 2000, which run IIS 4.0 and 5.0 Web servers. The worm uses a known buffer overflow vulnerability contained in the Idq.dll file. Information about this vulnerability and a Microsoft patch is located at: http://www.microsoft.com/technet/security/bulletin/MS01-033.asp .

A Cumulative Patch for IIS that includes the four patches released to date is available at: http://www.microsoft.com/technet/security/bulletin/MS01-044.asp .

System administrators are encouraged to apply the Microsoft patch to prevent infection of this worm and other unauthorized access.

For information on the various ways to check for this threat and the underlying vulnerability, or if you are using Symantec Enterprise Firewall, refer to the Additional Information section below.

C-lick here for information on how to best leverage Symantec technologies to combat the CodeRed threat.




Symantec offers multiple options to check for this threat and the underlying vulnerability.

Home users

  • Symantec Security Check is a tool that allows you to determine whether your computer is at risk. Click here to begin a free online scan.
  • "FixCodeRed Assessment Tool" is a free downloadable tool that allows you to determine whether your computer is at risk. If a vulnerability is found, the tool will scan the memory to determine whether the worm exists.
  • Norton Internet Security is Symantec's integrated security and privacy suite that has been updated with a new rule that blocks suspected outbound data traffic from the IIS server. This new rule can be applied to Norton Internet Security by running LiveUpdate.

Corporate users
  • Symantec Security Check is a free tool that allows you to determine whether your computer is at risk. Click here to begin a free online scan.
  • "FixCodeRed Assessment Tool" is a free downloadable tool that allows you to determine whether your computer is at risk. If a vulnerability is found, the tool will scan the memory to determine whether the worm exists.
  • Enterprise Security Manager (ESM) is a Symantec policy compliance and vulnerability management system that helps manage security patch update functions through the ESM patch module. Two patch templates are available that detect this vulnerability on Windows NT 4.0 and Windows 2000 servers. Download q300972.zip, and then extract the templates into the ESM Manager's /esm/template folder.
  • NetProwler is Symantec's network-based intrusion detection tool. With Security Update 8 installed, it will detect attempts to attack your IIS 4.0 and 5.0 servers that use this vulnerability. You can download NetProwler SU8 by running the product's auto update feature.
  • Symantec Enterprise Firewall is Symantec's application inspection firewall. By default, it blocks suspected outbound data traffic from Web servers like IIS. When running on the firewall's service network, it stops the propagation of this, as well as other types of attacks. See the section labeled Expanded Symantec Enterprise Firewall information below for more information about these default settings.
  • NetRecon, Symantec’s network vulnerability assessment tool, has been updated to detect this vulnerability. The tool checks the Microsoft IIS Index Service and will notify you if your IIS Server is exposed to the threat. Click here for more information.

You cannot reliably detect an infection by searching for a specific file, such as C:\Notworm, or by viewing HTML files of defaced Web pages, because the worm runs only in memory and never directly writes any information to your hard drive. For more information, see the "Technical Details" section. Also, it is unreliable to search for traces of the worm in log files, as even patched computers may contain log entries of previous attacks. Therefore, Symantec highly recommends applying the Microsoft patch, rather than relying on such methods of detection.

The worm spreads by using HTTP requests. This code exploits a known buffer-overflow vulnerability, which allows the worm to run on your computer. The code is not saved as a file, but is inserted into and run directly from memory. Applying the Microsoft patch and then restarting the computer will remove the worm and prevent further infections.

In addition to seeking new host computers to attack, the worm may attempt a DoS attack. Also, the worm creates multiple threads, which can cause instability on your computer.

Finally, unpatched Cisco products and other services listening on port 80, such as Hewlett Packard JetDirect cards, may be vulnerable to the attack, or result in a DoS, due to port scans.


Expanded Symantec Enterprise Firewall information

Symantec Enterprise Firewall, VelociRaptor Firewall appliance, and Symantec Raptor Firewall provide a combination of protections, including "protect by default" security configurations, third-generation application inspection technology, and automatic initial and ongoing system hardening, to ensure that our firewall protects your network. In this case, the "protect by default" approach has again benefited our customers and the Internet community at large by helping to stop the propagation of the recent CodeRed Worm. You will automatically, and by default, prevent the propagation of this worm by using any of these firewalls where your public Web servers are located on the firewall's "service" network. We recommend that you double-check your configurations to ensure that rules were not added to allow Web servers on your service network that make outgoing Web requests. Since this is uncommon, changes to your Symantec Gateway Firewall should not be necessary.

If you have public Web servers on the firewall's "internal" network, Symantec recommends adding a rule to the firewall that prevents any of your Web servers from making outgoing Web requests. Since Web servers typically only need to accept incoming Web requests and do not need to make outgoing Web requests, this should not have a negative impact on your daily operations. This change will improve the overall security of your network and help prevent the propagation of this worm. In addition, we recommend that you review your network configuration and Web-server deployment. For the best possible protection, we also recommend that all publicly accessible servers be on the firewall's service network and not on the internal network.

For additional information, see the document Symantec Enterprise Security Solutions protect against the Microsoft Windows IIS Index Server ISAPI System-level Remote Access Buffer Overflow .

To determine whether your server has been patched, Microsoft provides the IIS 5.0 Hotfix Checking Tool, located at:

http://www.microsoft.com/Downloads/Release.asp?ReleaseID=24168

Cisco's advisory regarding affected products can be found at:

http://www.cisco.com/warp/public/707/cisco-code-red-worm-pub.shtml

Microsoft tool
Microsoft has created a Tool to Remove Obvious Effects of the Code Red II Worm .

Antivirus Protection Dates

  • Initial Rapid Release version July 17, 2001
  • Latest Rapid Release version September 28, 2010 revision 054
  • Initial Daily Certified version July 17, 2001
  • Latest Daily Certified version September 28, 2010 revision 036

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Writeup By: Eric Chien

Discovered: July 16, 2001
Updated: February 13, 2007 11:36:53 AM
Also Known As: W32/Bady, I-Worm.Bady, Code Red, CodeRed, W32/Bady.worm
Type: Worm
Systems Affected: Microsoft IIS
CVE References: CVE-2001-0500 CVE-2001-0506


The worm sends its code as an HTTP request. The HTTP request exploits a known buffer-overflow vulnerability, which allows the worm to run on your computer. The malicious code is not saved as a file, but is inserted into and then run directly from memory.

Once run, the worm checks for the file, C:\Notworm. If this file exists, the worm does not run and the thread goes into an infinite sleep state.

If the C:\Notworm file does not exist, then new threads are created. If the date is before the 20th of the month, the next 99 threads attempt to exploit more computers by targeting random IP addresses. To avoid looping back to infect the source computer, the worm will not make HTTP requests to the IP addresses 127.*.*.* .

If the default language of the computer is American English, further threads cause Web pages to appear defaced. First, the thread sleeps for two hours, and then hooks a function, which responds to the HTTP requests. Instead of returning the correct Web page, the worm returns its own HTML code.

The HTML displays:

Welcome to http:// www.worm.com !
Hacked By Chinese!

This hook lasts for 10 hours and is then removed. However, re-infection or other threads can rehook the function.

Two versions of this worm have been in the wild. The second version does not cause the Web pages to be defaced.

Also, if the date is between the 20th and 28th of the month, the active threads then attempt a Denial of Service (DoS) attack on a particular IP address, by sending large amounts of junk data to port 80 (Web service) of 198.137.240.91, which was www.whitehouse.gov. This IP address has been changed and is no longer active.

Finally, if the date is later than the 28th of the month, the worm's threads are not run, but are directed into an infinite sleep state. This multiple-thread creation can cause computer instability.

NOTES:

  • If you are running Microsoft FrontPage or a similar program used to design Web pages, IIS may be installed on your computer.
  • For additional information, including the string that is added to the IIS log files, go to the CERT Coordination Center page at:

    http://www.cert.org/incident_notes/IN-2001-08.html


  • Hewlett-Packard Jet Direct cards listening on port 80 may also suffer a DoS.



Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

  • Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
  • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
  • Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
  • Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
  • Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
  • Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
  • If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
  • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
  • Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
  • Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
  • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
  • If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.
  • For further information on the terms used in this document, please refer to the Security Response glossary.

Writeup By: Eric Chien

Discovered: July 16, 2001
Updated: February 13, 2007 11:36:53 AM
Also Known As: W32/Bady, I-Worm.Bady, Code Red, CodeRed, W32/Bady.worm
Type: Worm
Systems Affected: Microsoft IIS
CVE References: CVE-2001-0500 CVE-2001-0506


Symantec Security Response has created a tool to perform a vulnerability assessment of your computer and to remove the CodeRed Worm and CodeRed II.

If for any reason you cannot use or obtain the CodeRed removal tool , manually remove this worm.

Manually removing the worm

  1. Download, obtain, and apply the patch from the Web site, http://www.microsoft.com/technet/security/bulletin/MS01-033.asp.

    Alternatively, you can download and install the Cumulative Patch for IIS available at: http://www.microsoft.com/technet/security/bulletin/MS01-044.asp.

  2. Restart the computer.


Writeup By: Eric Chien