Code Red II Worm on the Loose

A new and potentially more serious version of the Code Red worm began circulating over the weekend, according to several computer security companies and services.

Code Red II is said to be more aggressive than the original worm because it installs a backdoor in servers that allows attackers to easily access infected computers. Once logged in, attackers can gain control of the machine by changing passwords; they can also copy, browse, or delete files.

Like the original Code Red, the new worm targets computers running Microsoft's Windows 2000 and Windows NT 4.0 operating systems and the Internet Information Server software, says Computer Associates International.

Personal computers running other operating systems, including other versions of Windows, are not targeted by Code Red or Code Red II. Neither are Windows 2000 machines that are not running IIS.

Code Red II is not a variant of the original Code Red, according to Security Focus, but rather a brand-new worm that shares signatures of the original and imitates the method of attack. Machines already infected with Code Red can be reinfected with Code Red II, and it may be more difficult to detect because it automatically dies after two days, says Security Focus.

Server operators are said to be able to recognize the new version of the worm by a string of letter "X"s it sends in place of the "N"s sent by the original version, says the Incidents.org security Web site.

The good news is that the new worm does appear to be stopped by the Code Red patch that is available from Microsoft and already installed on thousands of computers, according to Computer Associates.

Security Focus recommends that server administrators who have not already downloaded the Code Red patch from Microsoft do the following: Download Microsoft's patch from the Internet; disconnect your machine from the Internet; reboot your system to clear the worm from memory; apply the patch to prevent reinfection; reboot your system; and reconnect to the Internet.

Code Red was originally discovered in mid-July, shortly before it caused infected machines to launch a denial of service attack against the White House Web server. The worm lay dormant from July 27 until the end of the month, when it reactivated and began to infect computers again.