Code Red Worm Crawls Again
It's a Code Red week again.
The prolific worm, which is now crawling the Net in several variations, spends much of the calendar month slithering into systems through a hole in Microsoft Internet Information Server (IIS). On August 20, as it has on the twentieth day of previous months, infected systems are programmed to launch denial-of-service attacks.
The specific IP address
The virus-watching organizations expect damage should be minimal this time around, although they caution that your unprotected server might still harbor a worm.
"We're getting fewer reports of infections," says Shawn Hernan, team leader for vulnerability handling at the Computer Emergency Response Team/Coordination Center at Carnegie Mellon University. "I don't expect this will be a major event."
Still, he estimates that more than 25,000 Internet servers are still vulnerable to the Code Red worm family. It appears on systems running IIS, which typically run the Windows 2000 and Windows NT operating systems. In fact, IIS is enabled by default on Windows 2000.
Those unprotected systems will become infected once the worm resumes scanning for them in September, Hernan says. He credits the work of various governmental and private sector organizations during the previous two outbreaks of the worm with protecting hundreds of thousands of servers already.
Code Red, discovered in mid-July, made its
Rumors of a third variant, called Code Red III, claimed it was even more dangerous than the original. But the only variant is nomenclature, says Lisa Smith, a spokesperson for antivirus vendor McAfee.
"There was confusion about what different antivirus vendors are calling the same thing," she says. What some people are calling Code Red III is the same as Code Red II, she says.
Whatever its name and nasty habits, the Code Red worm isn't vanishing entirely.
"We are going to see, over the next year, echoes of this every month until the number of vulnerabilities is negligible," says CERT's Hernan. A number of time-sensitive worms and viruses, which made large initial impacts, still cause small bouts of trouble on certain dates. Even if Code Red will no longer trouble Internet users, the issues that it exploited are still present, Hernan says.
"Fundamentally, there are chronic problems on the Internet," such as systems administrators not patching their systems soon enough and software being released with security holes, he says. "Until we can address both root causes in a fundamental way, we're going to continue to be at risk."
Before Code Red awakens for its monthly exercise, you might find it valuable to assess vulnerable systems and ensure that you're not contributing to a network slowdown or--worse--leaving yourself open to more damage later. Following is a tutorial on assessing your damage and protecting your systems.
If you're running IIS, it's just smart management to make sure your system is protected against the Code Red worm family. Here's what you need to do to stomp out the worm, regardless of whether your system has become infected.
First, determine if the worm is residing on your system. If your PC contains the first release of Code Red, the worm exists only in memory and doesn't drop any files on your hard drive. The Code Red II version deposits so-called Trojan horse applications on your system that open it up to further hacking by outsiders.
Several free tools are available to scan your system for infection. You
can use Symantec's
If you haven't been infected, you're in luck. Download the
If your system is infected by Code Red II, you may have additional problems. Between the time the worm wriggled into your system and when you discovered it, hackers may have already made other subtle changes to the affected system, installing other Trojan horse programs or other viruses. Besides installing the patch, conducting a full system scan using an up-to-date antivirus tool is in order. For systems that run critical infrastructure, like a business Web site, you may need to completely format the hard drive and reinstall the operating system from scratch. Or you may have to rebuild the entire drive from a previous full backup, just to be sure your machine is free and clear of nasties.
If your system is infected with either Code Red or Code Red II, you
still need to install the patch. Also, grab a copy of the
Disconnect your network cable from the back of your PC (or hang up your modem connection) before you begin the cleanup. Begin the cleansing by running the Microsoft Code Red hotfix tool, and follow all the instructions to clean out the various files the worm left behind. (If you prefer to remove the files manually, you can skip this step and continue.)
The first part of the fix involves removing the Trojan horse files installed on your system. Code Red II takes advantage of a little-known default Windows behavior to find certain Windows programs starting in the C:\ directory instead of in the WINNT folder, where system apps reside. Code Red II places the Trojan, cleverly disguised as Explorer.exe, in either your C:\ or D:\ directory. You need to kill the Trojan Explorer while leaving the real Windows Explorer running.
First, close all open Windows Explorer windows. Hit the
You need to stop the copy of explorer.exe that is running only one
"thread." If you don't see a column labeled Threads, click
Now that you've stopped the Trojan horse programs, you need to delete
them from your hard drive using the Windows command line. Start the command
program by clicking
If you've been bitten by the Code Red worm, you have some other clean-up operations to perform. Code Red modifies existing Windows applications and functions. It distorts their operations to widen your vulnerability. It also changes some functions of the Windows Registry, where much of the core information of the operating system is stored.
Code Red takes the legitimate cmd.exe application from the WINNT folder, renames it "Root.exe" and places it in locations where a hacker could use it to access your hard drive. Delete the following programs from your drive. (Note that in this case the worm installs these files on a C: and D: drive if you have one.)
The worm opens your hard drive to the Web via the personal Web server built into IIS. Your next step is to disable and remove these open shares.
Start by right-clicking the My Computer icon on the desktop and
The last part of the process involves opening the Windows Registry file and removing or replacing any keys the worm added or changed.
First, open the Registry Editor by clicking
In the left pane are the categories of entries in the Registry, called keys. Expand the following key category by clicking the plus sign next to each subsequent category: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Services\W3SVC\Parameters\Virtual Roots
With the key "Virtual Roots" selected, delete the values of /C and /D in
the right pane. Select the values one at a time. Press the
Next, in the right pane double-click the value /Scripts, and in the Edit
String dialog box, delete only the number 217 from the end of the line labeled
Value Data, and replace it with the number
Double-click the value /MSADC--also in the right pane--and in the Edit
String dialog change the number 217 to
If you have Windows NT, just reboot your system and you're done. But if you run Windows 2000, you have one additional step in Regedit to clean Code Red II out of your system.
As you did before, open Regedit and then navigate to the
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\ CurrentVersion\WinLogon key,
and select WinLogon in the left pane. In the right pane, double-click the value
SFCDisable, and replace whatever you see in the Value data field with
Once a system is compromised, especially by Code Red II, it is potentially exposed to other infections. Antivirus vendors caution that infected systems are at their most vulnerable to attack. Unless you comb the usage and operations logs and can be certain nothing else malicious has occurred on the system, you may want to completely reinstall the operating system to be 100 percent certain that the PC is clean.