• PC World
• » Security

A virus writing group called 29A is denying reports that any of its members created the Code Red or Code Red II worms.

The denial comes after a German media report pinpointed 29A as the brains behind the malicious Internet worms. A Deutsche Presse Agentur report on Tuesday says that 29A has been bragging on online chat rooms about unleashing Code Red onto the Net. DPA also described 29A as a Dutch hacker group.

"Some Chinese guy is responsible [for Code Red] not any 29A member," says a Spanish member of 29A using the alias VirusBuster in an e-mail interview. He adds that 29A is not a hacker group, but a virus writing group. Most members are from Spain and the Czech Republic; none are Dutch, he says.

Mikko Hypponen, manager of antivirus research at antivirus software vendor F-Secure, has investigated the source of both Code Red and Code Red II and says he "is pretty confident 29A is not involved with any version of Code Red" as they lack the traditional 29A signature.

"The string 29A exists in the code of Code Red II. It is a binary reference to the number 666. The string is part of the code that is executed and not something that was set apart as a signature. In viruses created by a 29A member the signature is not part of the code, but separate and is always in a special format," he says.

Looking for Clues

Experts and authorities worldwide are trying to determine who is responsible for Code Red and Code Red II. There is some speculation that the first version was made in China because the worm placed a message saying "hacked by Chinese" on infected systems. The economic cost of both worms has reportedly risen to nearly $2 billion.

F-Secure's Hypponen thinks Code Red II was made in the United States by virus writers who believe the original Code Red came from China. Hypponen himself doesn't believe the original worm was created in China, although he doesn't have anything concrete to back that.

"This [Code Red II] is an anti-Chinese virus. It checks whether it has infected a Chinese machine and then doubles the spreading rate. We think Code Red II was made in the U.S. as a retaliation," says Hypponen.

Code Red is a self-propagating worm that exploits a flaw in Internet Information Server, a part of Microsoft's Windows 2000 and Windows NT software. It scans the Internet for vulnerable systems and infects these systems by installing itself. The amount of traffic Code Red generates can slow down the flow of information across the Internet.

The more dangerous Code Red II installs a back door in servers that allows attackers to access the infected computer without the usual passwords. Once logged in through the back door, attackers can gain control of the machine.

A patch for the flaw in IIS that is exploited by Code Red and Code Red II has been available from Microsoft since mid-June.

• See more like this:
• virus,
• worm,
• Code Red II,
• Code Red,
• 29A,
• german,
• chinese,
• government,
• F-Secure