CodeRed Worm Update: August 10, 2001 (9:00 AM Pacific):
Symantec Security Response has created a removal tool to perform a vulnerability assessment of your computer and remove the CodeRed Worm and CodeRed II.
CodeRed Worm Update: August 5, 2001 (12:00 AM Pacific):
A variant of the CodeRed Worm has been detected as CodeRed II. Click here for more information.
CodeRed Worm Update: July 31, 2001 (1:00 PM Pacific):
Computers that were infected by CodeRed have stopped propagating this worm as of July 28, 2001, due to its logic of going into infinite sleep mode. Although there was much speculation as to whether this worm would wake up again on August 1, 2001, Symantec Security Response's analysis of the CodeRed worm indicates that a re-infection will not re-awaken already infected computers.
If the worm is once again injected into the Internet, it can only affect computers that still have the vulnerability on the Web server. Previously infected computers can be re-infected if they have not been patched. Symantec Security Response advises users of IIS4.0 and 5.0 to apply the Microsoft patch before August 1. Security Response will continue to monitor CodeRed activities on the Internet and will post updates to this page when available.
The CodeRed Worm affects Microsoft Index Server 2.0 and the Windows 2000 Indexing service on computers running Microsoft Windows NT 4.0 and Windows 2000, which run IIS 4.0 and 5.0 Web servers. The worm uses a known buffer overflow vulnerability contained in the Idq.dll file. Information about this vulnerability and a Microsoft patch is located at: www.microsoft.com/technet/security/bulletin/MS01-033.asp.
A Cumulative Patch for IIS that includes the four patches released to date is available at: www.microsoft.com/technet/security/bulletin/MS01-044.asp.
System administrators are encouraged to apply the Microsoft patch to prevent infection of this worm and other unauthorized access.
For information on the various ways to check for this threat and the underlying vulnerability, or if you are using Symantec Enterprise Firewall, refer to the Additional Information section below.
C-lick here for information on how to best leverage Symantec technologies to combat the CodeRed threat.
Degrades performance: Will spawn multiple threads and use bandwidth.
Causes system instability: Will spawn multiple threads.
Distribution
Target of infection: Unpatched systems running Microsoft Index 2.0 or Windows 2000 Indexing Service.
The worm sends its code as an HTTP request. The HTTP request exploits a known buffer-overflow vulnerability, which allows the worm to run on your computer. The malicious code is not saved as a file, but is inserted into and then run directly from memory.
Once run, the worm checks for the file, C:\Notworm. If this file exists, the worm does not run and the thread goes into an infinite sleep state.
If the C:\Notworm file does not exist, then new threads are created. If the date is before the 20th of the month, the next 99 threads attempt to exploit more computers by targeting random IP addresses. To avoid looping back to infect the source computer, the worm will not make HTTP requests to the IP addresses 127.*.*.* .
If the default language of the computer is American English, further threads cause Web pages to appear defaced. First, the thread sleeps for two hours, and then hooks a function, which responds to the HTTP requests. Instead of returning the correct Web page, the worm returns its own HTML code.
The HTML displays:
Welcome to www.worm.com ! Hacked By Chinese!
This hook lasts for 10 hours and is then removed. However, re-infection or other threads can rehook the function.
Two versions of this worm have been in the wild. The second version does not cause the Web pages to be defaced.
Also, if the date is between the 20th and 28th of the month, the active threads then attempt a Denial of Service (DoS) attack on a particular IP address, by sending large amounts of junk data to port 80 (Web service) of 198.137.240.91, which was www.whitehouse.gov. This IP address has been changed and is no longer active.
Finally, if the date is later than the 28th of the month, the worm's threads are not run, but are directed into an infinite sleep state. This multiple-thread creation can cause computer instability.
NOTES:
If you are running Microsoft FrontPage or a similar program used to design Web pages, IIS may be installed on your computer.
For additional information, including the string that is added to the IIS log files, go to the CERT Coordination Center page at:
www.cert.org/incident_notes/IN-2001-08.html
According to Qwest, this worm may have affected the Cisco modem series 675 and 678 of some DSL subscribers. For additional information, go to:
Hewlett-Packard Jet Direct cards listening on port 80 may also suffer a DoS.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":
Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services (for example, all Windows-based computers should have the current Service Pack installed.). Additionally, please apply any security updates that are mentioned in this writeup, in trusted Security Bulletins, or on vendor Web sites.
Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
Symantec Security Response has created a tool to perform a vulnerability assessment of your computer and to remove the CodeRed Worm and CodeRed II.
If for any reason you cannot use or obtain the CodeRed removal tool, manually remove this worm.
Manually removing the worm
Download, obtain, and apply the patch from the Web site, www.microsoft.com/technet/security/bulletin/MS01-033.asp.
Alternatively, you can download and install the Cumulative Patch for IIS available at: www.microsoft.com/technet/security/bulletin/MS01-044.asp.
Restart the computer.
Additional information:
Symantec offers multiple options to check for this threat and the underlying vulnerability.
Home users
Symantec Security Check is a tool that allows you to determine whether your computer is at risk. Click here to begin a free online scan.
"FixCodeRed Assessment Tool" is a free downloadable tool that allows you to determine whether your computer is at risk. If a vulnerability is found, the tool will scan the memory to determine whether the worm exists.
Norton Internet Security is Symantec's integrated security and privacy suite that has been updated with a new rule that blocks suspected outbound data traffic from the IIS server. This new rule can be applied to Norton Internet Security by running LiveUpdate.
Corporate users
Symantec Security Check is a free tool that allows you to determine whether your computer is at risk. Click here to begin a free online scan.
"FixCodeRed Assessment Tool" is a free downloadable tool that allows you to determine whether your computer is at risk. If a vulnerability is found, the tool will scan the memory to determine whether the worm exists.
Enterprise Security Manager (ESM) is a Symantec policy compliance and vulnerability management system that helps manage security patch update functions through the ESM patch module. Two patch templates are available that detect this vulnerability on Windows NT 4.0 and Windows 2000 servers. Download q300972.zip, and then extract the templates into the ESM Manager's /esm/template folder.
NetProwler is Symantec's network-based intrusion detection tool. With Security Update 8 installed, it will detect attempts to attack your IIS 4.0 and 5.0 servers that use this vulnerability. You can download NetProwler SU8 by running the product's auto update feature.
Symantec Enterprise Firewall is Symantec's application inspection firewall. By default, it blocks suspected outbound data traffic from Web servers like IIS. When running on the firewall's service network, it stops the propagation of this, as well as other types of attacks. Seethe sectionlabeled Expanded Symantec Enterprise Firewall information below for more information about these default settings.
NetRecon, Symantec’s network vulnerability assessment tool, has been updated to detect this vulnerability. The tool checks the Microsoft IIS Index Service and will notify you if your IIS Server is exposed to the threat. Click here for more information.
You cannot reliably detect an infection by searching for a specific file, such as C:\Notworm, or by viewing HTML files of defaced Web pages, because the worm runs only in memory and never directly writes any information to your hard drive. For more information, see the "Technical Details" section. Also, it is unreliable to search for traces of the worm in log files, as even patched computers may contain log entries of previous attacks. Therefore, Symantec highly recommends applying the Microsoft patch, rather than relying on such methods of detection.
The worm spreads by using HTTP requests. This code exploits a known buffer-overflow vulnerability, which allows the worm to run on your computer. The code is not saved as a file, but is inserted into and run directly from memory. Applying the Microsoft patch and then restarting the computer will remove the worm and prevent further infections.
In addition to seeking new host computers to attack, the worm may attempt a DoS attack. Also, the worm creates multiple threads, which can cause instability on your computer.
Finally, unpatched Cisco products and other services listening on port 80, such as Hewlett Packard JetDirect cards, may be vulnerable to the attack, or result in a DoS, due to port scans.
Expanded Symantec Enterprise Firewall information
Symantec Enterprise Firewall, VelociRaptor Firewall appliance, and Symantec Raptor Firewall provide a combination of protections, including "protect by default" security configurations, third-generation application inspection technology, and automatic initial and ongoing system hardening, to ensure that our firewall protects your network. In this case, the "protect by default" approach has again benefited our customers and the Internet community at large by helping to stop the propagation of the recent CodeRed Worm. You will automatically, and by default, prevent the propagation of this worm by using any of these firewalls where your public Web servers are located on the firewall's "service" network. We recommend that you double-check your configurations to ensure that rules were not added to allow Web servers on your service network that make outgoing Web requests. Since this is uncommon, changes to your Symantec Gateway Firewall should not be necessary.
If you have public Web servers on the firewall's "internal" network, Symantec recommends adding a rule to the firewall that prevents any of your Web servers from making outgoing Web requests. Since Web servers typically only need to accept incoming Web requests and do not need to make outgoing Web requests, this should not have a negative impact on your daily operations. This change will improve the overall security of your network and help prevent the propagation of this worm. In addition, we recommend that you review your network configuration and Web-server deployment. For the best possible protection, we also recommend that all publicly accessible servers be on the firewall's service network and not on the internal network.
For additional information, see the document Symantec Enterprise Security Solutions protect against the Microsoft Windows IIS Index Server ISAPI System-level Remote Access Buffer Overflow.
To determine whether your server has been patched, Microsoft provides the IIS 5.0 Hotfix Checking Tool, located at: