1. Symantec/
  2. Security Response/
  3. CodeRed.F


Risk Level 2: Low

March 11, 2003
February 13, 2007 11:44:14 AM
Also Known As:
CodeRed.v3, CodeRed.C, CodeRed III, W32.Bady.C, W32/CodeRed.f.worm [McAfee], Win32.CodeRed.F [CA]
Trojan Horse, Worm
Systems Affected:
Microsoft IIS
CVE References:
CVE-2001-0500 CVE-2001-0506

As of March 11, 2003, Symantec Security Response has confirmed that a new minor variant of CodeRed II has been found in the wild.

CodeRed.F differs in only two bytes than the original CodeRed II. CodeRed II will restart the system if the year is greater than 2001. This is no longer the case for this variant.

Symantec antivirus products detect CodeRed.F as CodeRed Worm if it is saved to a file. The worm also drops a Trojan, which will be detected as Trojan.VirtualRoot. The existing CodeRed Removal Tool will correctly detect and remove this new variant.

Please click here for information on how to best leverage Symantec technologies to combat the CodeRed threat.

CodeRed.F scans IP addresses for vulnerable Microsoft IIS 4.0 and 5.0 Web servers and uses a buffer overflow vulnerability to infect the remote computers. The worm injects itself directly into memory, rather than copying itself as a file on the system. In addition, CodeRed.F creates a file detected as Trojan.VirtualRoot. Trojan.VirtualRoot gives the hacker full remote access to the Web server.

If you are running the Microsoft IIS Server, we recommend that you apply the latest Microsoft patch to protect yourself from this worm. The patch can be found at http://www.microsoft.com/technet/security/bulletin/MS01-033.asp.

A cumulative patch for IIS, including the four patches released to date, is available at http://www.microsoft.com/technet/security/bulletin/MS01-044.asp.

In addition, Trojan.VirtualRoot takes advantage of a vulnerability in Windows 2000. Download and install the following Microsoft security patch to address this problem and stop the Trojan from re-infecting the computer: http://www.microsoft.com/technet/security/bulletin/MS00-052.asp.

Once CodeRed.F attacks a computer, it is difficult to determine what else the computer has been exposed to.

In most cases, changes—other than those made by CodeRed.F or the dropped Trojan—will not have occurred. However, a hacker may have been able to use the Trojan to access the computer to make changes to it.

Unless you can be absolutely sure that malicious activity has not been performed on the computer, we recommend completely re-installing the operating system.

Antivirus Protection Dates

  • Initial Rapid Release version August 5, 2001
  • Latest Rapid Release version pending
  • Initial Daily Certified version pending
  • Latest Daily Certified version pending
  • Initial Weekly Certified release date August 5, 2001
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
2016 Internet Security Threat Report, Volume 21
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube