RE: "Code Red" worm questions

From: Eric Chien (ecchienat_private)
Date: Thu Jul 19 2001 - 04:13:46 PDT

  • Next message: Martin Roesch: "Re: .ida Intrusion Attempt"

    Here are my DRAFT notes that may eventually appear on Symantec's threat 
    info sites.
    
    ...Eric
    
    The CodeRed worm affects systems running Microsoft Index Server 2.0 or the 
    Windows 2000 Indexing service. The worms uses a known buffer overflow 
    contained in ISAPI.DLL. Information and a patch regarding this 
    vulnerability can be found at: 
    http://www.microsoft.com/technet/security/bulletin/MS01-033.asp. 
    Administrators are encouraged to apply this patch to prevent infection from 
    this worm and other unauthorized access.
    
    The worm sends its code via a HTTP request. This code exploits the buffer 
    overflow causing the worm to be executed on the system. The code is not 
    saved as a file, but injected and executed directly from memory. Patching 
    ones system and rebooting will remove the worm and prevent further infection.
    
    In addition to seeking out new hosts to attack, the worm may attempt a 
    denial of service attack. Also, the worm creates multiple threads (many of 
    which simply sleep), which can cause instability of the system.
    
    Also Known As: W32/Bady
    
    Category: Worm
    
    Infection Length: 3569
    
    Threat Assessment:
    
    [Medium] [Medium] [Low]
    Wild:
    Medium Damage:
    Medium Distribution:
    Low
    
    Wild:
    Number of infections: More than 1000
    Number of sites: More than 10
    
    Damage:
    Payload:
    Degrades performance: Will spawn multiple threads and utilize bandwidth.
    Causes system instability: Will spawn multiple threads.
    
    Distribution:
    Target of infection: Unpatched systems running Microsoft Index 2.0 or 
    Windows 2000 Indexing Service
    
    Technical description:
    
    The worm sends its code as an HTTP request. The HTTP request exploits the 
    buffer overflow causing the worm to be executed on the system. The 
    malicious code is not saved as a file but injected and executed directly 
    from memory.
    
    Once executed, the worm creates an empty file c:\notworm as a marker that 
    the initial main thread has occured.
    
    New threads are then continuously created. The first 100 threads to attempt 
    to exploit more systems by targetting random IP addresses, if the date is 
    before the 20th. The worm will not make such HTTP requests to the IP 
    address of 127.*.*.* thus, avoiding the loopback address. However, systems 
    can become infected again.
    
    Further threads cause webpages to appear to be defaced if the system's 
    default language US English. First, the thread sleeps 2 hours and then 
    hooks a function, which responds to HTTP requests. Instead of returning the 
    proper webpage, the worm returns its own HTML.
    
    The HTML displays:
    
    Welcome to http:// www.worm.com !
    
    Hacked By Chinese!
    
    This hook lasts for 10 hours and then is removed. However, new threads that 
    are created can then rehook the function.
    
    Also, if the date is between the 20th and 28th, the worm attempts a Denial 
    of Service attack on a particular IP address by sending large amounts of 
    junk data to a specific high port.
    
    Finally, if the date is greater than the 28th, the worm's threads simply 
    are directed into an infinite sleep.
    
    The continual thread creation (many of which simply sleep) can cause system 
    instability.
    
    Removal instructions:
    
    To remove the worm obtain and apply the patch located at 
    http://www.microsoft.com/technet/security/bulletin/MS01-033.asp and restart 
    the system.
    The file c:\notworm can also be deleted.
    
    
    
    
    ----------------------------------------------------------------------------
    
    
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:
    
    http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Thu Jul 19 2001 - 08:01:14 PDT