Code Red Virus Alert
Eight Gun Fighter
Thread Starter
Join Date: Apr 2000
Location: Western Approaches
Posts: 1,126
Likes: 0
Received 0 Likes
on
0 Posts
Code Red Virus Alert
United States Government departments and several private companies have issued an unprecedented warning to organisations
throughout the world to protect themselves against a computer bug known as the Code Red Worm.
Representatives of the White House, the FBI, Microsoft Inc. and others have posted warnings on their websites, and are planning
a news conference on Monday to highlight the dangers of the worm.
Worms like Code Red pose a distinct threat to the internet says Ron Dick.
Ron Dick, the head of an FBI arm called the National Infrastructure Protection Centre (NIPC), said worms like Code Red posed a
distinct threat to the internet.
The worm has already infected and caused outages in hundreds of thousands of systems.
And it is likely to start spreading again on 31 July in a mutated and potentially even more dangerous form.
Officials are urging users to install a security patch available on Microsoft's website.
The Associated Press news agency said that while the US Government often works with private companies to combat new
viruses, they have never before made such a high-profile appeal.
Widespread outages:
The worm causes a slowing of the internet and can cause sporadic but widespread outages.
In the first nine hours of an outbreak on 19 July, it infected more than 250,000 systems.
Code Red exploits a vulnerability in internet server software from Microsoft on the companies NT 4.0 and Windows 2000
operating systems. Windows 95, Windows 98 and Windows Me users are not affected.
For English websites, the worm replaces sites' homepage with the text "Hacked by Chinese".
Because of the rapid spread of Code Red, security companies have not been able to work out who wrote or released the worm.
Government woes:
Last week the worm forced the US Defence Department to pull the plug on its public facing sites from 20-24 July.
The Pentagon is the world's largest user of computers, with some 10,000 networks.
But the worm's ultimate purpose has been to launch a denial of service attack against the White House website.
In a denial of service attack, infected computers attempt to flood a website with traffic, rendering it unable to respond to legitimate
requests.
But White House web administrators foiled the last attack by moving the site to a new address.
throughout the world to protect themselves against a computer bug known as the Code Red Worm.
Representatives of the White House, the FBI, Microsoft Inc. and others have posted warnings on their websites, and are planning
a news conference on Monday to highlight the dangers of the worm.
Worms like Code Red pose a distinct threat to the internet says Ron Dick.
Ron Dick, the head of an FBI arm called the National Infrastructure Protection Centre (NIPC), said worms like Code Red posed a
distinct threat to the internet.
The worm has already infected and caused outages in hundreds of thousands of systems.
And it is likely to start spreading again on 31 July in a mutated and potentially even more dangerous form.
Officials are urging users to install a security patch available on Microsoft's website.
The Associated Press news agency said that while the US Government often works with private companies to combat new
viruses, they have never before made such a high-profile appeal.
Widespread outages:
The worm causes a slowing of the internet and can cause sporadic but widespread outages.
In the first nine hours of an outbreak on 19 July, it infected more than 250,000 systems.
Code Red exploits a vulnerability in internet server software from Microsoft on the companies NT 4.0 and Windows 2000
operating systems. Windows 95, Windows 98 and Windows Me users are not affected.
For English websites, the worm replaces sites' homepage with the text "Hacked by Chinese".
Because of the rapid spread of Code Red, security companies have not been able to work out who wrote or released the worm.
Government woes:
Last week the worm forced the US Defence Department to pull the plug on its public facing sites from 20-24 July.
The Pentagon is the world's largest user of computers, with some 10,000 networks.
But the worm's ultimate purpose has been to launch a denial of service attack against the White House website.
In a denial of service attack, infected computers attempt to flood a website with traffic, rendering it unable to respond to legitimate
requests.
But White House web administrators foiled the last attack by moving the site to a new address.
Guest
Posts: n/a
For information, from the McAfee website...............
UPDATE July 19, 2001,
AVERT is raising awareness of this worm with a Risk Assessment on this exploit as SPECIAL. We are doing so as our focus is on providing security support to our customers and the computing public at large.
Your environment is at HIGH RISK if:
1) You have Microsoft Index Server 2.0, or Indexing Service installed with Windows 2000 or IIS.
2) You have NOT updated these components with the latest patch from Microsoft available here.
The exploit, a buffer overflow, is used to spread this worm (Unchecked Buffer in Index Server ISAPI Extension Could Enable Web Server Compromise).
IT EXISTS IN MEMORY ONLY AND NO WRITTEN FILE EVER EXISTS ON THE HARD DISK.
It spreads through TCP/IP transmissions on port 80. By making use of this exploit, the worm is able to send itself as a TCP/IP stream directly to the its victims, which in turn scans the web for other systems to infect. Once infected, this viral code checks for the existence of Cnotworm. If the file Cnotworm is present the worm stops seeking other machines to infect.
Affected English language web servers have its web pages defaced with:
<html><head><meta http-equiv="Content-Type" content="text/html;
charset=English"><title>HELLO!</title></head><bady><hr size=5>
<font color="red"><p align="center">Welcome to http://www.worm.com !<br><br>Hacked By Chinese!
</font></hr></bady></html>
Indications Of Infection:
Web pages defaced with the message:
--------------------------------------------------------------------------------
Welcome to http://www.worm.com !
Hacked By Chinese!
UPDATE July 19, 2001,
AVERT is raising awareness of this worm with a Risk Assessment on this exploit as SPECIAL. We are doing so as our focus is on providing security support to our customers and the computing public at large.
Your environment is at HIGH RISK if:
1) You have Microsoft Index Server 2.0, or Indexing Service installed with Windows 2000 or IIS.
2) You have NOT updated these components with the latest patch from Microsoft available here.
The exploit, a buffer overflow, is used to spread this worm (Unchecked Buffer in Index Server ISAPI Extension Could Enable Web Server Compromise).
IT EXISTS IN MEMORY ONLY AND NO WRITTEN FILE EVER EXISTS ON THE HARD DISK.
It spreads through TCP/IP transmissions on port 80. By making use of this exploit, the worm is able to send itself as a TCP/IP stream directly to the its victims, which in turn scans the web for other systems to infect. Once infected, this viral code checks for the existence of Cnotworm. If the file Cnotworm is present the worm stops seeking other machines to infect.
Affected English language web servers have its web pages defaced with:
<html><head><meta http-equiv="Content-Type" content="text/html;
charset=English"><title>HELLO!</title></head><bady><hr size=5>
<font color="red"><p align="center">Welcome to http://www.worm.com !<br><br>Hacked By Chinese!
</font></hr></bady></html>
Indications Of Infection:
Web pages defaced with the message:
--------------------------------------------------------------------------------
Welcome to http://www.worm.com !
Hacked By Chinese!
Guest
Posts: n/a
Latest info from Microsoft..........
The Microsoft Security Response Center, along with other
organizations listed below, is jointly publishing this alert that
ALL IIS ADMINISTRATORS ARE ASKED TO READ
A Very Real and Present Threat to the Internet:
July 31 Deadline For Action
Summary:
The Code Red Worm and mutations of the worm pose a
continued and serious threat to Internet users. Immediate action
is required to combat this threat. Users who have deployed
software that is vulnerable to the worm (Microsoft IIS
Versions 4.0 and 5.0) must install, if they have not done so
already, a vital security patch.
How Big Is The Problem?
On July 19, the Code Red worm infected more than 250,000 systems
in just 9 hours. The worm scans the Internet, identifies
vulnerable systems, and infects these systems by installing
itself. Each newly installed worm joins all the others causing
the rate of scanning to grow rapidly. This uncontrolled growth
in scanning directly decreases the speed of the Internet and
can cause sporadic but widespread outages among all types of
systems. Code Red is likely to start spreading again on
July 31st, 2001 8:00 PM EDT and has mutated so that it may be
even more dangerous. This spread has the potential to disrupt
business and personal use of the Internet for applications such
as electronic commerce, email and entertainment.
Who Must Act?
Every organization or person who has Windows NT or Windows 2000
systems AND the IIS web server software may be vulnerable.
IIS is installed automatically for many applications. If you
are not certain, follow the instructions attached to determine
whether you are running IIS 4.0 or 5.0. If you are using
Windows 95, Windows 98, or Windows Me, there is no action that
you need to take in response to this alert.
What To Do If You Are Vulnerable?
a. To rid your machine of the current worm, reboot your computer.
b. To protect your system from re-infection:
Install Microsoft's patch for the Code Red vulnerability problem:
- - Windows NT version 4.0:
http://www.microsoft.com/Downloads/R...eleaseID=30833
- - Windows 2000 Professional, Server and Advanced Server:
http://www.microsoft.com/Downloads/R...eleaseID=30800
Step-by-step instructions for these actions are posted at http://www.microsoft.com/technet/treeview/default.asp?
url=/technet/itsolutions/security/topics/codeptch.asp
Microsoft's description of the patch and its installation,
and the vulnerability it addresses is posted at: http://www.microsoft.com/technet/treeview/default.asp?
url=/technet/security/bulletin/MS01-033.asp
Because of the importance of this threat, this alert is
being made jointly by:
Microsoft
The National Infrastructure Protection Center
Federal Computer Incident Response Center (FedCIRC)
Information Technology Association of America (ITAA)
CERT Coordination Center
SANS Institute
Internet Security Systems
Internet Security Alliance
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.3
iQEVAwUBO2Wpgo0ZSRQxA/UrAQFQeQgAgmva53MJdjGF4u4oFXcAJICgf+1YTd1n
IJ7XIPPjTFkc5/8Fqe0lbFY7ZeBNAvGGI276RPkebmTz1WAJ08MNe9uvMJAuyULw
nOU8sMIO7S0Z5Z65/UYow0ui2qLVdmioqf809RAydHPdj1GINU0yDNS1HwwfjZia
0wBN+GjyjbdMU6bgMadoMdRgvCwdx2Jzr8ExAnFeNtLxRjwct3mv23bCrln1 h80I
4awW0GPPd5iFzLIZX+QVh9/qkPdYm3SD1e8rs8GK69dub1AsVoKdXea+EHb3YckO
9XfuZdhxy6I+PnZJ8woSSNqtuZ2zKuS+q4kdPt0Abh0ToCbR4jK91A==
=a2a5
-----END PGP SIGNATURE-----
The Microsoft Security Response Center, along with other
organizations listed below, is jointly publishing this alert that
ALL IIS ADMINISTRATORS ARE ASKED TO READ
A Very Real and Present Threat to the Internet:
July 31 Deadline For Action
Summary:
The Code Red Worm and mutations of the worm pose a
continued and serious threat to Internet users. Immediate action
is required to combat this threat. Users who have deployed
software that is vulnerable to the worm (Microsoft IIS
Versions 4.0 and 5.0) must install, if they have not done so
already, a vital security patch.
How Big Is The Problem?
On July 19, the Code Red worm infected more than 250,000 systems
in just 9 hours. The worm scans the Internet, identifies
vulnerable systems, and infects these systems by installing
itself. Each newly installed worm joins all the others causing
the rate of scanning to grow rapidly. This uncontrolled growth
in scanning directly decreases the speed of the Internet and
can cause sporadic but widespread outages among all types of
systems. Code Red is likely to start spreading again on
July 31st, 2001 8:00 PM EDT and has mutated so that it may be
even more dangerous. This spread has the potential to disrupt
business and personal use of the Internet for applications such
as electronic commerce, email and entertainment.
Who Must Act?
Every organization or person who has Windows NT or Windows 2000
systems AND the IIS web server software may be vulnerable.
IIS is installed automatically for many applications. If you
are not certain, follow the instructions attached to determine
whether you are running IIS 4.0 or 5.0. If you are using
Windows 95, Windows 98, or Windows Me, there is no action that
you need to take in response to this alert.
What To Do If You Are Vulnerable?
a. To rid your machine of the current worm, reboot your computer.
b. To protect your system from re-infection:
Install Microsoft's patch for the Code Red vulnerability problem:
- - Windows NT version 4.0:
http://www.microsoft.com/Downloads/R...eleaseID=30833
- - Windows 2000 Professional, Server and Advanced Server:
http://www.microsoft.com/Downloads/R...eleaseID=30800
Step-by-step instructions for these actions are posted at http://www.microsoft.com/technet/treeview/default.asp?
url=/technet/itsolutions/security/topics/codeptch.asp
Microsoft's description of the patch and its installation,
and the vulnerability it addresses is posted at: http://www.microsoft.com/technet/treeview/default.asp?
url=/technet/security/bulletin/MS01-033.asp
Because of the importance of this threat, this alert is
being made jointly by:
Microsoft
The National Infrastructure Protection Center
Federal Computer Incident Response Center (FedCIRC)
Information Technology Association of America (ITAA)
CERT Coordination Center
SANS Institute
Internet Security Systems
Internet Security Alliance
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.3
iQEVAwUBO2Wpgo0ZSRQxA/UrAQFQeQgAgmva53MJdjGF4u4oFXcAJICgf+1YTd1n
IJ7XIPPjTFkc5/8Fqe0lbFY7ZeBNAvGGI276RPkebmTz1WAJ08MNe9uvMJAuyULw
nOU8sMIO7S0Z5Z65/UYow0ui2qLVdmioqf809RAydHPdj1GINU0yDNS1HwwfjZia
0wBN+GjyjbdMU6bgMadoMdRgvCwdx2Jzr8ExAnFeNtLxRjwct3mv23bCrln1 h80I
4awW0GPPd5iFzLIZX+QVh9/qkPdYm3SD1e8rs8GK69dub1AsVoKdXea+EHb3YckO
9XfuZdhxy6I+PnZJ8woSSNqtuZ2zKuS+q4kdPt0Abh0ToCbR4jK91A==
=a2a5
-----END PGP SIGNATURE-----
Join Date: Jun 2001
Location: Melbourne, Victoria, Australia
Posts: 36
Likes: 0
Received 4 Likes
on
1 Post
I was affected by this about 2 weeks ago. I woke to find my 9 hour modem connection had sent about 70Mb of data !! I ran a netstat and my machine had port 80 sessions with about 30 machines from all walks of life...
A reboot did the job, and as a precaution I stopped all IIS services until I applied the patch.
Some people just have nothing better to do with their lives....
A reboot did the job, and as a precaution I stopped all IIS services until I applied the patch.
Some people just have nothing better to do with their lives....