This is a special alert from The Funny/Alerts Newsletter. Code Red has been dragging down the internet for several days now and, although you may not have known it, you are being affected by all of this extra traffic the Internet Service Providers are being forced to handle. Code Red is technically not a virus. It is classified as an Internet Worm because it's main function is to search for systems that are vulnerable and attack them.
The systems that are vulnerable to this attack are Windows 2000 and Windows NT. If you are running Windows 3.x, 9x or Millennium you should be safe, unless you are also running a server of some type. Most of the probes to my systems have been to Web and FTP server ports but since I'm not running any Internet Information Services (IIS) on my systems the attacks have been fended off by ZoneAlarm.
If you have a server that's been infected by the original Code Red immediately shut down your server, clean boot and scan with the latest anti-virus signatures you have available to you. Then apply any and ALL security patches before rebooting. If, on the other hand, you've been infected by the new Code Red 2, the only recourse you have is to completely format the HD and reinstall the operating system and programs!
Most ISP's are now blocking inbound port 80 to their networks, unless needed. While this still leaves open infected machines, it does limit the amount of machines that are vulnerable. With this, they have moved to threat-level YELLOW. There is a new variant (II) of Code Red spreading.
EXPLOITED VULNERABILITY AND OVERVIEW
This worm uses the same mechanism as the original Code Red worm to infect vulnerable computers. That is, the worm looks for systems running IIS that have not patched the unchecked buffer vulnerability in idq.dll or removed the ISAPI script mappings. The worm exploits the vulnerability to inject itself into a system. Note that ANY system running Microsoft Windows 2000 (any version including Professional) may have a vulnerable IIS server installed.
It is often possible that an IIS server is installed without the user's knowledge.
In fact, due to the targeting algorithm used by this new worm, the infection is spreading wildly through ISP networks. Cable and DSL subscribers are especially at risk and many have been experiencing network outages due to the worm's "ARP Flooding" Denial of Service side-effect. Experts believe that many of the systems currently infected belong to home PC users who do not realize that they have the IIS server software installed.
Except for using the buffer overflow injection mechanism, this new worm is entirely different from the original Code Red CRv1 and CRv2 variants. In fact, Code Red II is more dangerous because it opens back doors on infected servers that allow any follow-on remote attacker to execute arbitrary commands. Reports have already been received of attackers attempting to exploit these back doors to wage distributed ping flooding attacks.
Most importantly, due to the more malicious actions of this worm, patching and rebooting an infected server is no longer sufficient to clean the system. If a system has been infected, or if a vulnerable system has simply been left unpatched while Code Red II has been circulating, the only real solution is to reformat the system's hard drive and reinstall all the software.
Note: According to eEye, the worm code will be successfully executed only on a Win2000 system running a vulnerable IIS server. WinNT-based IIS servers will simply crash when attempting to execute the worm code. Our experiments and reports received from users confirm this finding.
The South Korean Information and Communication Ministry has reported the discovery of Code Red III. However, most people are speculating that this worm is simply one of the strains we already know, and confusion is arising due to the way the variants are currently named.
IS MY MICROSOFT SYSTEM VULNERABLE?
Systems running Windows NT 4.0 or Windows 2000 may be vulnerable. Specifically, these systems are vulnerable if they are running the IIS 4.0 or IIS 5.0 web server software.
Note that IIS is often installed by other applications and may be installed without the user's knowledge. Here is how to check (from the Microsoft instructions):
To determine whether you are running vulnerable versions of IIS:
Press Ctrl-Alt-Del and select Task Manager.
When the Task Manager window appears, select the Processes tab.
Look down the Image Name column of the window that appears.
If you see Inetinfo.exe, you are running IIS.
Systems running Windows 3.1, 95, 98, and ME are not vulnerable. Windows XP systems may be vulnerable but there is no patch for these systems as XP is a beta release and should not be used on production servers.
Please take a prudent level of minimum due care.