http://www.eweek.com/article2/0,3959,924269,00.asp By Dennis Fisher March 11, 2003 Security experts are watching a new variant of the Code Red II worm that began appearing on some monitoring networks Tuesday. The worm is nearly identical to its ancestor, save for a modified drop-dead date that is now several thousand years in the future. Known as Code Red.F, the worm uses the same infection method as the previous versions, attacking Web servers running Microsoft Corp.'s IIS software. The worm so far has infected only a few machines, and because most administrators patched their servers after the initial Code Red outbreak in 2001, it is unlikely to spread extensively, experts say. All of the Code Red worms exploit an unchecked buffer in the Index Server in the IIS software. They then spread by infecting one machine and then scanning a list of random IP addresses and attempting to connect to port 80. The original Code Red, which struck in July 2001, infected several hundred thousand IIS servers and caused massive traffic disruptions on some portions of the Internet. Roger Thompson, the technical director of malicious code research at TruSecure Corp., in Herndon, Va., first began seeing new worm activity Tuesday morning. His WormCatcher network of distributed hosts monitoring activity on ports that worms commonly use started catching packets that were 3,818 bytes long coming in on port 80. "After looking at it, it was quite obviously a Code Red II variant," he said. "It's not going to be as bad as the previous version, but it will stay with us." Thompson said he had seen 20 unique infections as of Tuesday afternoon. Like the first Code Red, this version of the worm code contains a date on which it is set to stop attempting to propagate itself. Code Red II died in October 2001, but Code Red.F won't exhaust itself for about 30,000 years, Thompson said. The change in the drop-dead date and the fact that the buffer overflow is caused with a multitude of Xs instead of Ns are the only differences between Code Red II and its offspring. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Wed Mar 12 2003 - 01:28:49 PST