Double Trouble: Code Red and Sircam Plagues Continue

Computer users continue to face attacks on two fronts as the impersonal Code Red worm persists in infecting Web servers and the extremely personal Sircam virus keeps replicating in e-mail in-boxes worldwide.

Code Red doesn't directly attack PCs, but it has the potential to impact online access and Web site performance, according to security experts who have seen more than 200,000 additional Web servers hit by the latest round of Code Red infestation.

During the first wave, which began in mid-July, the worm infected about 250,000 servers running Microsoft's Internet Information Service software. Code Red's wild card is what will happen when it is due to switch to attack mode on August 20.

The bug exploits an easily corrected flaw in the IIS software. There have been more than 1 million downloads of the patch that Microsoft developed to fix the problem, which is unique to servers running versions 4.0 and 5.0 of the IIS program.

Code Red Still Threatens

"As much as we would like to, we still cannot say that the threat from Version 2 has entirely passed. We continue to see an increase in the number of computers that are being infected by Version 2," says a statement on the FBI's National Infrastructure Protection Center Web site. "However, the rate of increase is slowing down."

Code Red began its second monthly attack cycle Tuesday. For the first 20 days of the month, the worm searches for vulnerable Web servers to infect and use as pawns in the recruitment drive. At the end of three weeks, the worm turns to attack mode and uses the phalanx of infected servers to unleash a storm of information requests on a target Web site (the original target was the White House Web site.) Then the worm goes into hibernation until first of the next month.

NIPC says mutations of Code Red are being studied in hopes of learning whether the worm's tactics will be modified or targets changed.

You've Got Sircam Mail

Sircam is a bug of a different sort. It is passed to PC users as an e-mail attachment. Once downloaded, the virulent bug dives into a user's PC, extracts a file at random, and begins sending an infected version of that file to friends, family, and other correspondents listed on the victim's e-mail address list.

Computer security experts say the Sircam virus remains the number one active virus in cyberspace, but its spread is slowing. Despite wide-ranging publicity, the tricky pest continues to fool thousands of e-mail recipients each day into opening its dangerous payload. Since those e-mails come from someone the user knows, the usual warnings about not opening attachments sent by strangers aren't working

"We've seen many end users infected more than once because it's able to change itself with different messages in the body (of the e-mail) and subject (line)," says Vince Gullotto, Senior Director of Research for McAfee.

"We've seen tens of thousands of people infected, if not hundreds of thousands around the Net," Gullotto adds.

Andy Faris, president of the America's division of MessageLabs, an international e-mail security services company, says the firm is seeing a "slight subsiding" in the spread of Sircam.

"This has been one of the more, if not the most, unique viruses we've seen," Faris says. "For most viruses, the nature of an outbreak is that it's over in 48 hours. This has been around for weeks."

E-mail Security Measures Work

It could have been much worse, growing to the level of the LoveLetter and the Melissa viruses, had it not been for improved e-mail security at the corporate and enterprise levels.

"Most of them were able to block it at the gateway and it didn't penetrate their environment. That's why we didn't get something that was LoveLetter size," Gullotto says.

The best Sircam defense for PC users who don't have the advantage of a corporate security team's expertise is to use virus-scanning software and delete any suspicious e-mails with attachments.

"We have a mantra here," says Gullotto. "Update. Update. Update. You have to update your [antivirus] software and do it on a weekly basis because you can never tell when the next virus may appear."