Help & How-To: Code Red

Microsoft and the National Infrastructure Protection Center (NIPC) today urged all users of Microsoft's IIS 4.0 and 5.0 to install a security patch to protect against Code Red. The worm, currently in a dormant phase, will re-awaken on 1 August, 2001 at 0:00 GMT, and is thought to be more dangerous the second time around. Code Red spreads by scanning the Internet for vulnerable IIS systems, and it is this scanning activity that has the potential to degrade service across the entire Internet. A patch issued by Microsoft removes the IIS scanning vulnerability in Windows NT and 2000. Users of Microsoft Windows 95, Windows 98 or Windows Me are not affected by the Code Red worm.

The Code Red worm, named after a high-caffeine cola from Mountain Dew, exploits a known vulnerability in ida.dll, a component of the Index Server that provides support for .ida and .idq files. In Microsoft's IIS 4.0 and 5.0, ida.dll is subject to buffer overruns, allowing a malicious user to exploit rogue code and gain access to the server. Microsoft originally posted a patch for this vulnerability on 18 June, 2001.

However, not all the affected IIS systems were patched. Within a few hours on 19 July, the Code Red worm spread to more than 250,000 machines worldwide. The worm, believed to have started at a university in Guangdong, China, searches out ida.dll vulnerable systems by choosing random Internet addresses and defaces some infected Web sites with the phrase "Hacked by Chinese." The original outbreak of the worm was to have launched a denial-of-service attack upon www.whitehouse.gov, but the White House changed its numerical address and avoided the attack. Code Red continued to spread from 20 July to 27 July when it went dormant.

Variations of the worm have been seen in the wild and reported to BugTraq. In a rare move, the government is joining with Microsoft to encourage all users of Windows NT and 2000 to install the security patch. Users of the beta version of Windows XP should contact Microsoft directly for more information.

The worm can be removed by rebooting an infected system, however, that solution does not guard against infection again at a later time. Therefore, Microsoft has a created a security patch for the following systems: Windows NT version 4.0 and Windows 2000 Professional, Server and Advanced Server. In addition, Symantec has a free tool to scan your system for signs of infection.

Additional information regarding the patch can be found on Microsoft's Web site. Also, Digital Island has detailed step-by-step instructions for installing the patches and safeguarding your system.

Is your PC safe? Find out in ZDNet UK's Viruses and Hacking News Section.

Have your say instantly, and see what others have said. Click on the TalkBack button and go to the Security forum.

Let the editors know what you think in the Mailroom. And read other letters.