The CERT Coordination Center publishes incident notes to provide
information about incidents to the Internet community.

<h2>"Code Red" Worm Exploiting Buffer Overflow In IIS Indexing Service DLL</h2>

Release Date: July 19, 2001<br/>
<a name="affected">
<h3>Systems Affected</h3>
<ul>
<li>Systems running Microsoft Windows NT 4.0 with IIS 4.0 or IIS 5.0 enabled</li>
<li>Systems running Microsoft Windows 2000 (Professional, Server, Advanced Server, Datacenter Server)</li>
<li>Systems running beta versions of Microsoft Windows XP
</li></ul>
<a name="overview">
<h2>Overview</h2>
<p>The CERT/CC has received reports of new self-propagating malicious
code exploiting the vulnerability described in <a href="http://www.cert.org/advisories/CA-2001-13.html">CERT Advisory CA-2001-13
Buffer Overflow In IIS Indexing Service DLL</a>.  These reports indicate that the "Code Red" worm
has already affected more than 13,000 hosts. </p>
<h2>Description</h2>
<p>In examples we have seen, the "Code Red" worm attack sequence
proceeds as follows:</p>
<ul>
<li>The victim host is scanned for TCP port 80.</li>
<li>The attacking host sends the exploit string to the victim.</li>
<li>The worm, now executing on the victim host, checks for the existence of c:\notworm.  If found, the worm ceases execution.

<li>If c:\notworm is not found, the worm begins spawning threads to
scan random IP addresses for hosts listening on TCP port 80,
exploiting any vulnerable hosts it finds.</li>
<li>If the victim host's default language is English, then after 100
scanning threads have started and a certain period of time has elapsed
following infection, all web pages served by the victim host are
defaced with the message, </li>
<blockquote><pre>
HELLO! Welcome to http://www.worm.com! Hacked By Chinese!
</pre></blockquote>
<li>If the victim host's default language is not English, the worm
will continue scanning but no defacement will occur.</li>
</li></ul>

Additional detailed analysis of this worm has been published by eEye
Digital Security at <a href="http://www.eeye.com">http://www.eeye.com</a>.

<h2>Impact</h2>
<p>In addition to web site defacement, affected systems may experience
performance degradation as a result of this worm.</p>
<p>Each instance of the "Code Red" worm uses the same random number
generator seed to create the list of IP addresses it scans.
Therefore, each victim host begins scanning the same IP addresses that
previous instances have scanned, which could result in a denial of
service against the IP addresses earliest in the list.</p>
<p>Furthermore, it is important to note that while the "Code Red" worm
appears to merely deface web pages on affected systems and attack
other systems, the IIS indexing vulnerability it exploits can be used
to execute arbitrary code in the Local System security context,
effectively giving an attacker complete control of the victim system.
It is therefore imperative to apply the remedies described in the
Solutions section of this document.</p>
<h4>System Footprint</h4>
<p>The "Code Red" worm can be identified on victim machines by the
presence of the following string in IIS log files:</p>
<blockquote>
<font face="Courier">
<pre>
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%
u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531
b%u53ff%u0078%u0000%u00=a 
</pre>
</font>
</blockquote>
<p>Additionally, web pages on victim machines may be defaced with the following message:</p>
<blockquote><pre>
HELLO! Welcome to http://www.worm.com! Hacked By Chinese!
</pre></blockquote>
<h4>Network Footprint</h4>
<p>A host running an active instance of the "Code Red" worm will scan
random IP addresses on port 80/TCP looking for other hosts to infect.
<p>
<h2>Solutions</h2>
<p>The CERT/CC encourages all Internet sites to review <a href="http://www.cert.org/advisories/CA-2001-13.html">CERT Advisory
CA-2001-13</a> and ensure workarounds or patches have been applied on all
affected hosts on your network.</p>
<p>If you believe a host under your control has been compromised, you may wish to refer to</p>
<dl>
<dd><a href="http://www.cert.org/tech_tips/win-UNIX-system_compromise.html">Steps for Recovering from a UNIX or NT System Compromise</a>
</dd>
</dl>
<h2>Reporting</h2>
<p>The CERT/CC is interested in receiving reports of this activity.
If machines under your administrative control are compromised, please
send mail to <a href="mailto:cert@cert.org">cert@cert.org</a>.</p>
<p>
<hr noshade="" width="100%"/>
<b>Author(s)</b>: Allen Householder<br/>
<hr noshade="" width="100%"/>
<h2>CERT/CC Contact Information</h2>
<dl>
<b>Email:</b> <a href="mailto:cert@cert.org">cert@cert.org</a><br/>
<b>Phone:</b> +1 412-268-7090 (24-hour hotline)<br/>
<b>Fax:</b> +1 412-268-6989<br/>
<b>Postal address:</b><br/>
<dd>
CERT Coordination Center<br/>
Software Engineering Institute<br/>
Carnegie Mellon University<br/>
Pittsburgh PA 15213-3890<br/>
U.S.A.<br/>
</dd></dl>

CERT personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4)
Monday through Friday; they are on call for emergencies during other
hours, on U.S. holidays, and on weekends.
<p>
<h4>Using encryption</h4>
<p>We strongly urge you to encrypt sensitive information sent by
email.  Our public PGP key is available from<p>
<ul>
<a href="http://www.cert.org/CERT_PGP.key">http://www.cert.org/CERT_PGP.key</a>
</ul>

If you prefer to use DES, please call the CERT hotline for more
information.<p>
<h4>Getting security information</h4>

CERT publications and other security information are available from
our web site<p>
<ul>
<a href="http://www.cert.org/">http://www.cert.org/</a>
</ul>

To subscribe to the CERT mailing list for advisories and bulletins, send email to
<a href="mailto:majordomo@cert.org">majordomo@cert.org</a>. Please include in the body of your
message<br/>
<p><tt>subscribe cert-advisory</tt>
<p>

* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.<p>
<hr noshade="" width="100%"/>
<b><u>NO WARRANTY</u></b><br/>
<b>Any material furnished by Carnegie Mellon University and the
Software Engineering Institute is furnished on an "as is"
basis. Carnegie Mellon University makes no warranties of any kind,
either expressed or implied as to any matter including, but not
limited to, warranty of fitness for a particular purpose or
merchantability, exclusivity or results obtained from use of the
material. Carnegie Mellon University does not make any warranty of any
kind with respect to freedom from patent, trademark, or copyright
infringement.</b>
<hr/>
<a href="http://www.cert.org/legal_stuff.html">Conditions for use, disclaimers, and sponsorship information</a><p>
<p>Copyright 2001 Carnegie Mellon University.</p>
<p>Revision History
<pre>
July 19, 2001: Initial Release
January 17, 2002: Updated Reporting section</pre>
<!-- This completes the table started in *_titlebar.html -->



<!--#include virtual="/cert/include/footer.html"--></p></p></p></p></p></p></p></p></p></p></p></p></p></a></a>