Date: Fri, 29 Mar 2024 06:53:18 -0400 (EDT) Message-ID: <1512975471.17.1711709598711@windcrest.sei.cmu.edu> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_16_1673391007.1711709598708" ------=_Part_16_1673391007.1711709598708 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
The CERT/CC has received reports of new self-propag= ating malicious code exploiting the vulnerability described in CA-2001-13 Buffer Overf= low In IIS Indexing Service DLL. These reports indicate that the worm h= as already affected thousands of systems. This new worm is being called "Co= de Red II," however, except for using the same buffer overflow mechanism, i= t is different from the original "Code Red" worm described in CA-2001-19 "Code Red" Worm Ex= ploiting Buffer Overflow In IIS Indexing Service DLL.
The "Code Red II" worm causes system level compromise and leaves a backd= oor on certain machines running Windows 2000. Vulnerable Windows NT 4.0 sys= tems could experience a disruption of the IIS service.
The "Code Red II" worm is self-propagating malicious code that exploits = a known vulnerability in Microsoft IIS servers (CA-2001-13).
The "Code Red II" worm attacks as follows:
Upon successful compromise of a system, the worm
On systems n= ot patched against the "Relative Shell Path" vulnerability (http://www.mic= rosoft.com/technet/security/bulletin/MS00-052.asp), this Trojan horse c= opy of explorer.exe will run every time a use= r logs in. In this fashion, certain pieces of the worm's payload have persi= stence even after a reboot of the compromised machine.
The "Code Red II" worm can be identified on victim machines by the prese= nce of the following string in IIS log files:
GET /default.ida?XXXXXXXXXXXXXXXXX= XXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801% u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b0 0%u531b%u53ff%u0078%u0000%u00=3Da
The presence of this string in a log file does not neccessarily indicate= compromise, it only implies that a "Code Red II" worm attempted to infect = the machine.
The worm will create several files on the compromised machines. These fi= les include c:\explorer.exe or d:\explorer.exe, as well as root.exe= in the IIS scripts or MSADC folder. While the existence of the file root.exe could indicate compromise, it does not necessarily= imply the presence of the "Code Red II" worm. This file name has been used= for artifacts of other exploits, including the sadmind/IIS worm (see CA-2001-11).
A host running an active instance of the "Code Red II" worm will scan ra= ndom IP addresses on port 80/TCP looking for other hosts to infect. The IP = addresses scanned by the "Code Red II" worm are determined in a probabilist= ic manner:
Additional detailed analysis of this worm has been published by eEye Dig= ital Security at http://www.eeye.com.= p>
Intruders can execute arbitrary commands within the LocalSystem security context on Windows 2000 systems infected wit= h the "Code Red II" worm. Compromised systems may be subject to files being= altered or destroyed. Denial-of-service conditions may be created for serv= ices relying on altered or destroyed files. Hosts that have been compromise= d are also at high risk for being party to attacks on other Internet sites.=
The widespread, automated attack and propagation characteristics of the = "Code Red II" may cause bandwidth denial-of-service conditions in isolated = portions of the network, particularly near groups of compromised hosts wher= e "Code Red II" is running.
Windows NT 4.0 systems and Cisco 600-series DSL routers may experience d= enial-of-service as a result of the scanning activity of the worm.
Infection by the "Code Red II" worm constitutes a system level compromis= e. If you believe a host under your control has been compromised, please re= fer to
Consistent with the security best-practice of denying all network traffi= c and only selectively allowing that which is required, ingress and egress = filtering should be implemented at the network edge. Likewise, controls mus= t be in place to ensure that all software used on a network is properly mai= ntained. See CA-= 2001-23 Continued Threat of the "Code Red" Worm for more information on= these topics.
The CERT/CC is interested in receiving reports of this activity. If mach= ines under your administrative control are compromised, please send mail to= cert@cert.org.
We strongly urge you to encrypt sensitive information sent by email. Our= public PGP key is available from
If you prefer to use DES, please call the CERT hotline for more infor= mation.=20subscribe cert-advisory
* "CERT" and "CERT Coordination Center" are registered in the U.S. Paten= t and Trademark Office.
Copyright 2001 Carnegie Mellon University.
Revision History
August 6, 2001: Initial Release January 17, 2002: Updated Reporting section