• PC World
• » Security

It's a Code Red week again.

The prolific worm, which is now crawling the Net in several variations, spends much of the calendar month slithering into systems through a hole in Microsoft Internet Information Server (IIS). On August 20, as it has on the twentieth day of previous months, infected systems are programmed to launch denial-of-service attacks.

The specific IP address targeted by Code Red, previously occupied by whitehouse.gov, is no longer active. It will duck the attacks, which are programmed to last through August 27. But surfers might still experience a general slowdown on the Net if Code Red provokes a flurry of network traffic. And what's more, your system could be an unwitting accomplice.

The virus-watching organizations expect damage should be minimal this time around, although they caution that your unprotected server might still harbor a worm.

"We're getting fewer reports of infections," says Shawn Hernan, team leader for vulnerability handling at the Computer Emergency Response Team/Coordination Center at Carnegie Mellon University. "I don't expect this will be a major event."

Still, he estimates that more than 25,000 Internet servers are still vulnerable to the Code Red worm family. It appears on systems running IIS, which typically run the Windows 2000 and Windows NT operating systems. In fact, IIS is enabled by default on Windows 2000.

Those unprotected systems will become infected once the worm resumes scanning for them in September, Hernan says. He credits the work of various governmental and private sector organizations during the previous two outbreaks of the worm with protecting hundreds of thousands of servers already.

Dangerous Siblings

Code Red, discovered in mid-July, made its biggest splash after infecting more than 300,000 computers worldwide in August. It also defaces any servers it infects. A second worm, called Code Red II, lacks the date-sensitive aspects of the original, and does not leave graffiti. It does, however, install a more dangerous backdoor in the server that could allow attackers to gain control over those systems.

Rumors of a third variant, called Code Red III, claimed it was even more dangerous than the original. But the only variant is nomenclature, says Lisa Smith, a spokesperson for antivirus vendor McAfee.

"There was confusion about what different antivirus vendors are calling the same thing," she says. What some people are calling Code Red III is the same as Code Red II, she says.

Whatever its name and nasty habits, the Code Red worm isn't vanishing entirely.

"We are going to see, over the next year, echoes of this every month until the number of vulnerabilities is negligible," says CERT's Hernan. A number of time-sensitive worms and viruses, which made large initial impacts, still cause small bouts of trouble on certain dates. Even if Code Red will no longer trouble Internet users, the issues that it exploited are still present, Hernan says.

"Fundamentally, there are chronic problems on the Internet," such as systems administrators not patching their systems soon enough and software being released with security holes, he says. "Until we can address both root causes in a fundamental way, we're going to continue to be at risk."

Before Code Red awakens for its monthly exercise, you might find it valuable to assess vulnerable systems and ensure that you're not contributing to a network slowdown or--worse--leaving yourself open to more damage later. Following is a tutorial on assessing your damage and protecting your systems.

• See more like this:
• code red,
• worm,
• virus,
• Iis,
• internet information server,
• Symantec,
• McAfee,
• antivirus