New worm targets same systems as Code Red

A new and potentially more serious computer worm that tries to exploit the same security hole as the Code Red worm began circulating over the weekend, according to warnings issued by multiple research services and antivirus software vendors.

Code Red II is said to be more aggressive than the earlier worm because it installs a backdoor program in systems that allows attackers to easily access infected computers. Once logged in through the back door, an intruder could gain control of the machine by changing passwords and would also be able to copy, browse or delete files.

Like the original Code Red, which re-emerged last Tuesday after an initial round of attacks earlier last month (see story), the new worm targets computers running Windows 2000 or Windows NT 4.0, along with Microsoft Corp.'s Internet Information Server (IIS) software. Most PCs aren't affected, and the worm also isn't a threat to servers that aren't running IIS.

While it has been given a similar name, Code Red II isn't a variant of the first worm, according to an advisory posted yesterday by the information service in San Mateo, Calif. Instead, Code Red II is an all-new worm that shares some signature attributes of its predecessor and imitates the method of attack used by the original Code Red.

Servers already infected by Code Red can be reinfected with the new worm, said, adding that Code Red II may be harder to detect because it automatically dies after two days. Systems administrators can recognize the new worm by a string of Xs used as filler characters in its header, whereas Code Red used the letter N.

Computer Associates International Inc. yesterday described Code Red II as a "medium-to-high risk" for users. But Islandia, N.Y.-based CA said the good news is that the same Microsoft patch that protects IIS-equipped servers from the first worm can stop Code Red II. Separate versions of the patch are available for Windows 2000 and NT 4.0.

The two worms exploit a buffer overflow problem in the index server included in Versions 4.0 and 5.0 of IIS, Microsoft's widely used Web server software. Microsoft warned of the vulnerability in June and urged "strongly" that all IIS users immediately install the patch (see story). Step-by-step instructions have been posted on the Web site of San Francisco-based e-business network operator Digital Island Inc.

SecurityFocus recommended that systems administrators who haven't already installed the Code Red patch do the following: Download the patch from Microsoft's Web site; disconnect your machine from the Internet; reboot your system to clear the worm from memory; apply the patch to prevent reinfection; reboot your system and reconnect to the Internet.

Related stories:

Copyright © 2001 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon