Found this also
Discovered on: July 16, 2001
Last Updated on: July 24, 2001 at 10:51:28 AM PDT
Due to the increased number of virus submissions, on July 20, 2001, the Symantec AntiVirus Research Center (SARC) upgraded CodeRed Worm from a level 2 to a level 3 virus threat.
The CodeRed Worm affects Microsoft Index Server 2.0 and the Windows 2000 Indexing service on computers running Microsoft Windows NT 4.0 and Windows 2000 that run IIS 4.0 and 5.0 Web servers. The worm uses a known buffer overflow vulnerability contained in the file Idq.dll. Information about this vulnerability and a Microsoft patch is located at:
http://www.microsoft.com/technet/security/bulletin/MS01-033.asp
Also Known As: W32/Bady, I-Worm.Bady, Code Red, CodeRed, W32/Bady.worm
Type: Worm
Infection Length: 3569
Virus Definitions: July 18, 2001
Wild:
Number of infections: More than 1000
Number of sites: More than 10
Damage:
Payload:
Degrades performance: Will spawn multiple threads and utilize bandwidth.
Causes system instability: Will spawn multiple threads.
Distribution:
Target of infection: Unpatched systems running Microsoft Index 2.0 or Windows 2000 Indexing Service
Technical description:
The worm sends its code as an HTTP request. The HTTP request exploits a known buffer-overflow vulnerability, which allows the worm to run on your computer. The malicious code is not saved as a file, but is inserted into and then run directly from memory.
Once run, the worm checks for the file C:\Notworm. If this file exists, the worm does not run and the thread goes into an infinite sleep state.
If the file C:\Notworm does not exist, then new threads are created. If the date is before the 20th of the month, the next 99 threads attempt to exploit more computers by targeting random IP addresses. To avoid looping back to infect the source computer, the worm will not make HTTP requests to the IP addresses 127.*.*.* .
If the default language of the computer is U.S. English, further threads cause Web pages to appear defaced. First, the thread sleeps two hours and then hooks a function, which responds to HTTP requests. Instead of returning the correct Web page, the worm returns its own HTML code.
The HTML displays:
Welcome to
http:// www.worm.com !
Hacked By Chinese!
This hook lasts for 10 hours and is then removed. However, reinfection or other threads can rehook the function.
Two versions of this worm have been seen in the wild. The second version does not cause the webpages to be defaced.
Also, if the date is between the 20th and 28th of the month, the active threads then attempt a Denial of Service attack on a particular IP address by sending large amounts of junk data to port 80 (Web service) of 198.137.240.91, which was
www.whitehouse.gov. This IP address has been changed and is no longer active.
Finally, if the date is later than the 28th of the month, the worm's threads are not run, but are directed into an infinite sleep state. This multiple-thread creation can cause computer instability.
Removal instructions:
To remove the worm:
1. Download, obtain and apply the patch from the following Web site:
http://www.microsoft.com/technet/security/bulletin/MS01-033.asp
2. Restart the computer.
Additional information:
Symantec offers multiple options to check for this threat and the underlying vulnerability:
Home users:
Symantec Security Check is a free tool which allows you to determine if your computer is at risk.The tool is available in two forms, both of which are free. Click here to begin an online scan, or click here to download the tool onto your computer.
"FixCodeRed Assessment Tool" is a free tool which allows you to determine if your computer is at risk. If the vulnerability is found, the tool will scan memory to determine whether the worm is present. Click here to download the tool onto your computer.
Norton Internet Security is Symantec's integrated security and privacy suite which has been updated with a new rule that blocks suspected outbound data traffic from the IIS server. This new rule can be applied to Norton Internet Security by running LiveUpdate.
Corporate users:
Symantec Security Check is a free tool which allows you to determine if your computer is at risk.The tool is available in two forms, both of which are free. Click here to begin an online scan, or click here to download the tool to your computer.
"FixCodeRed Assessment Tool" is a free tool which allows you to determine if your computer is at risk. If the vulnerability is found, the tool will scan memory to determine if the worm is present. Click here to download the tool onto your computer.
Enterprise Security Manager (ESM) is a Symantec policy compliance and vulnerability management system which helps manage security patch update functions through the ESM patch module. Two patch templates are available that detect this vulnerability on Windows NT 4.0 and Windows 2000 servers. Download q300972.zip, and then extract the templates into the ESM Manager's /esm/template folder.
NetProwler is Symantec's network-based intrusion detection tool. With Security Update 8 installed, it will detect attempts to attack your IIS 4.0 and 5.0 servers that use this vulnerability. NetProwler SU8 can be downloaded by running the product's auto update feature.
Symantec Enterprise Firewall is Symantec's application inspection firewall. By default it blocks suspected outbound data traffic from Web servers like IIS. When running on the firewall's service network, it stops the propagation of this, as well as other types of attacks. See the section labeled Exapanded Symantec Enterprise Firewall information below for more information about these default settings.
NetRecon is Symantec's network vulnerability assessment tool that will be updated to detect this vulnerability on your computer, and if the tool finds it, provide recommendations on how to fix it. We will update this document when more information is available.
You cannot reliably detect an infection by searching for a specific file such as C:\Notworm or by viewing HTML files of defaced Web pages because the worm runs only in memory and never directly writes any information to your hard drive. For more information, see the Technical Description section. Also, it is unreliable to search for traces of the worm in log files, since even patched computers may contain log entries of previous attacks. Symantec highly recommends applying the Microsoft patch, rather than relying on such methods of detection, as they are unreliable.
The worm spreads by using HTTP requests. This code exploits a known buffer-overflow vulnerability, which allows the worm to run on your computer. The code is not saved as a file, but is inserted into and run directly from memory. Applying the Microsoft patch and then restarting the computer will remove the worm and prevent further infections.
In addition to seeking out new host computers to attack, the worm may attempt a Denial of Service attack. Also, the worm creates multiple threads, which can cause instability on your computer.
Finally, unpatched Cisco products and other services listening on port 80, such as Hewlett Packard JetDirect cards, may be vulnerable to the attack, or result in a Denial of Service due to port scans.
Expanded Symantec Enterprise Firewall information
Symantec Enterprise Firewall, VelociRaptor Firewall appliance, and Symantec Raptor Firewall provide a combination of protections, including "protect by default" security configurations, third-generation application inspection technology, and automatic initial and ongoing system hardening, to ensure that our firewall protects your network. In this case, the "protect by default" approach has again benefited our customers and the Internet community at large by helping to stop the propagation of the recent CodeRed Worm. You will automatically, and by default, prevent the propagation of this worm by using any of these firewalls where your public Web servers are located on the firewall's "service" network. We recommend that you double-check your configurations to ensure that no rules were added to allow Web servers on your service network that make outgoing Web requests. Since this is uncommon, no changes to your Symantec Gateway Firewall should be needed.
If you have public Web servers on the firewall's "internal" network, Symantec recommends adding a rule to the firewall that prevents any of your Web servers from making outgoing Web requests. Since Web servers typically only need to accept incoming Web requests and do not need to make outgoing Web requests, this should have no negative impact on your day-to-day operations. This change will improve the overall security of your network and help prevent the propagation of this worm. In addition, we recommend a review of your network configuration and Web-server deployment. For the best possible protection, we also recommend that all publicly accessible servers be on the firewall's service network and not on the internal network.
For additional information, see the document Symantec Enterprise Security Solutions protect against the Microsoft Windows IIS Index Server ISAPI System-level Remote Access Buffer Overflow.
To determine whether your server has been patched, Microsoft provides the IIS 5.0 Hotfix Checking Tool, located at:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=24168
Check the following links for more info after you've updated the AV definitions:
http://www.symantec.com/avcenter/venc/data/codered.worm.html
http://www.symantec.com/press/2001/n010720a.htm
