Users login

Create an account »


Users login

Home » Hacking News » Code Red 2 finally dead.

Code Red 2 finally dead.

by Majik on October 3rd, 2001 After a nearly two-month rampage across the Internet, the Code Red II worm has entered a period of self-inflicted euthanasia as of midnight Sept. 30, security experts said today.

For reasons unknown, the worm's unidentified author programmed the worm to stop attempting to spread to other vulnerable Microsoft systems running Internet Information Server (IIS) software once the month of October arrived.

An analysis of Code Red II shows the code has no provision to wake back up after midnight coordinated universal time (UTC) September 30, according to Dale Coddington, a systems security engineer with eEye Digital Security, the firm which discovered the IIS bug exploited by Code Red II and its predecessor Code Red.

Code Red II first began infecting Windows 2000 systems in early August and spread to hundreds of thousands of machines by exploiting a buffer-overflow vulnerability known as the IDA bug. Microsoft released a patch for the bug in June.

According to Ryan Russell, incident analyst for, the death of Code Red II should mean that administrators of all types of Internet-connected systems will have one fewer worm probing their machines over port 80 in an attempt to spread.

Unfortunately, said Russell, "Nimda has stepped up to the plate," referring to the latest worm which also uses IIS port 80 as one of several vectors for propagation.

Nimda was first identified September 18 and is still actively scanning Internet address space in search of new hosts to infect, according to Russell.

As a result, intrusion detection logs compiled by and other reporting services since October 1 show port 80 is still overwhelmingly the most frequently attacked port.

Even though Code Red II's port scanning has abated, the worm's most damaging aspect remains. Code Red II creates a file called root.exe on infected servers, leaving a "back door" open to any attacker, according to Russell. In addition, a compromised version of explorer.exe, an important system file, remains on the server, preventing a simple clean up.

While Microsoft has released a tool for removing Code Red II from a server, the Computer Emergency Response Team and other security experts recommend reformatting an infected system's hard drive and re-installing all software and applying appropriate patches.

Because Code Red II contained code to kill off the original Code Red worm discovered in July, the demise of Code Red II could create an opportunity for old Code Red to return, according to Russell.

In addition, Russell and other experts say a malicious person could easily modify the date-related instructions in Code Red II and release a new version of the worm without the October shutdown.

Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.


Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »