Antivirus Software
  1. Home
  2. Computing & Technology
  3. Antivirus Software
See More About:
Code Red II
New Version of Code Red Worm Compromises Security
 Related Resources
• Virus Encyclopedia
• Code Red: Round 2
• Code Red Goes Splat
• Internet Armageddon
• Web Server Flaw
 
 Elsewhere on the Web
• Security Patch
• eEye Digital Advisory
 

A new version of the Code Red worm has been discovered compromising infected users with a Remote Access Trojan. Code Red II takes advantage of the same security vulnerability as the original Code Red worm. In its new form, however, the worm leaves systems vulnerable to outside attack and hostile takeover.

Like its predecessor, Code Red II takes advantage of a buffer overrun vulnerability in Microsoft® IIS web server administration software. The method used to drop the Trojan is a much older vulnerability, resolved by MS-052 and first reported in July 2000. In this case, the registry entry pointing to the Windows Shell executable (Explorer.exe) provides a relative, rather than an absolute, pathname. This allows the worm author to drop a Trojan named Explorer.exe to the root of drive C:\ and D:\ and pass control to that copy. The real Explorer.exe is then launched by the Trojan in an attempt to avoid detection.

Once the system has been compromised, Code Red II hibernates. Though it chooses to sleep instead of phoning home, according to a security alert issued by Russ Cooper, editor of NTBugtraq, "The end result of all of this action is to leave your box wide open to remote connection and total compromise." Cooper recommends attempting to delete the root bound explorer.exe. If the file cannot be deleted, the Trojan has been activated and Cooper recommends a complete system reformat to ensure security.

Reportedly, the worm also affects the Cisco 600 series of DSL routers, which will stop forwarding traffic if scanned by a Code Red infected system. The Cisco router must then be rebooted to restore service. The vulnerability that makes this possible was addressed by Cisco in December 2000 and a free software upgrade can be downloaded from Cisco at http://www.cisco.com/warp/public/707/CBOS-multiple.shtml.

Neither Code Red nor Code Red II are detectable by antivirus software. To protect the systems, administrators must install the applicable security patches:

MS01-033: Buffer Overrun vulnerability in IIS
MS00-052: Relative pathname for Explorer.exe
CISCO: Multiple Vulnerabilities in CBOS

Subscribe to the Newsletter
Name
 Email

Explore Antivirus Software
About.com Special Features

Holiday Central

What to eat, where to go, fun things to do and how to save money on the perfect gifts. More >

Family Tech Center

Stay connected and entertained with reviews on tips on the latest HDTVs, cellphones and more. More >

Antivirus Software
  1. Home
  2. Computing & Technology
  3. Antivirus Software

©2009 About.com, a part of The New York Times Company.

All rights reserved.