Home / malwarePDF  

Worm:W32/CodeRed


First posted on 15 June 2010.
Source: SecurityHome

Aliases :

There are no other names known for Worm:W32/CodeRed.

Explanation :

A standalone malicious program which uses computer or network resources to make complete copies of itself. May include code or other malware to damage both the system and the network.

Additional DetailsThis is original Code Red web worm (the A variant) found originally in July 2001.

History

UPDATE ON 1ST OF AUGUST, 2001
By 15:00 GMT, 15 hours after widespread Code Red infections restarted, the situation is getting rapidly worse. The worm has gone worldwide again, infecting vulnerable web sites at an increasing rate. The number of infected servers almost doubles every hour, and has passed 20,000 infected machines.
In comparison, on 19th of July, Code Red infected around 300,000 servers, and was only stopped because the worm stopped infections by itself. This time around the worm won't stop spreading for another three weeks.
UPDATE ON 1ST OF AUGUST, 2001
By 12:00 GMT, 12 hours after the new spreading phase for the Code Red worm restarted, no visible effects of the worm could be seen. The worm did restart spreading, as feared, but initial rate of infections was not very fast.
The worm might gain more ground later on, but it's likely that the number of reinfected web servers will be lower than in July, and effects of the worm to general public will be minimal.

Propagation

Code Red is a worm that exploits a security hole in Microsoft Internet Information Server (IIS) to spread. When it infects a server it starts to scan for other vulnerable servers and infects them. During a certain period of time the worm only spreads, then it initiates a Denial-of-Service (DoS) attack against www1.whitehouse.gov and finally suspends all the activities.

This repeats every month. The time zone in the above picture is GMT.
The worm can resume into infection phase at midnight July 31st, if there is infected servers in the Internet with incorrect date settings causing that they already are scanning for vulnerable hosts; or the worm is restarted manually by a malicious party.
The front page of an infected server might have been changed by the worm to following:

Last update 15 June 2010

 

TOP

Malware :