|
|
Security Alert: Code Red - Updated 03/11/2003
Download the latest version of Command AntiVirus
Get the latest virus definition files
Buy Command AntiVirus online
New Variant: Code Red F Variant
Aliases: CodeRed.F, W32/CodeRed.f.worm, CODERED.F
Discovery Date: March 11, 2003
This version of Code Red has all of the characteristics of the original virus, differing only by two bytes from the original. Command AntiVirus version 4.58.3 or higher will detect and disinfect the virus.
Name: Code Red Variant
Aliases: W32/CodeRed.c.worm, CodeRed.C, Worm/RedCode.IIS.2, CodeRed.v3
Type: Exploit
Description:
This variant of the original Code Red worm was discovered on August 4, 2001. It uses the same buffer overflow vulnerability as the original to spread, but also has the ability to install a backdoor trojan onto the infected system. This allows any interested parties to have remote access to the infected system's web server.
This worm can be located on an infected system by the following string in the IIS log files:
/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%
u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531
b%u53ff%u0078%u0000%u00=a
Detection of Backdoor Trojan:
Command Antivirus version 4.58.3 or higher with definition files dated 08/07/01 will detect this virus as a security risk or as a "backdoor" trojan.
Solution:
Apply the following patches, available on the Microsoft website:
http://www.microsoft.com/technet/security/bulletin/MS01-033.asp
http://www.microsoft.com/technet/security/bulletin/MS00-052.asp
Name: Code Red
Aliases: CodeRed, CodeRed.A, Bady
Type: Exploit
Description:
Code Red affects systems running an unpatched version of Microsoft Windows NT 4.0 and Windows 2000 with IIS 4.0 or 5.0. The worm is able to exploit a known buffer overflow vulnerability by sending its code as an HTTP request to its victim.
This worm can be located on an infected system by the following string in the IIS log files:
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%u
cbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00
%u531b%u53
Solution:
Apply the following
patch, made available by Microsoft.
 |
|
|
|
Protect your system from worms that exploit operating system and application vulnerabilities...
TotalCOMMAND™ performs an enterprise-wide
discovery of our security software and patch configurations
on all machines within your network. It reports
the version and date of existing patches as well
as any missing patch on each computer.
TotalCOMMAND™ rolls out the patches at
prescheduled time settings and without any
end user intervention. Get TotalCOMMAND today.
|
|
|
|
|
 |
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Home � Purchase Center � Virus Center � Support Center
|
|
|
