Code Red for IIS Applications

A new worm known as "Code Red" has been spreading around the Net defacing Web pages by infecting servers running Microsoft's Internet Information Services (IIS).

by internetnews.com Staff [July 20, 2001]

eEye Digital Security said the worm is similar to the sadmind/IIS worm that propagated near the end of the U.S.-China hacker skirmishes in May.

Code Red tries to exploit a buffer overflow in the IIS application programming interface that Microsoft patched last month (The patch may be found here). Once it infects a server it attempts to:

• Spawn 100 threads that scan servers running a vulnerable version of IIS
• Check for the existence of the c:notworm file (which it creates); if it finds c:notworm then it does not propagate itself to other hosts
• Defaces Web pages with the message: Hello! Welcome to http://www.worm.com! Hacked By Chinese!

To recover an infected system, patch IIS, remove the file c:notworm and restore the defaced Web files from a recent backup.

— End