Users login

Create an account »


Users login

Home » Hacking News » The CodeRed Worm

The CodeRed Worm

by phiber on July 20th, 2001 Over the last few days, a worm that infects Microsoft Index Server 2.0 and Windows Indexing Service, has been spread all over the Internet. "Read More" how it works and how you can remove it from your system.

The CodeRed worm affects systems running Microsoft Index Server 2.0 or the Windows 2000 Indexing service. The worms uses a known buffer overflow contained in IDQ.DLL. Information and a patch regarding this vulnerability can be found here.

Administrators are encouraged to apply this patch to prevent infection from this worm as well as other unauthorized access.

Please note that one cannot reliably detect an infection by searching for specific files such as c:notworm or the html files of the defaced web pages. This is because the worm executes only in memory and never directly writes any information to the disk. Also, it is unreliable to search for traces of the worm in log files, since even patched machines may contain log entries of attacks. There seems to have been some incorrect information distributed about this common misconception.

To see if your system is vulnerable, click here.

How it works:

The worm sends its code as an HTTP request. The HTTP request exploits the buffer overflow causing the worm to be executed on the system. The malicious code is not saved as a file but injected and executed directly from memory.

Once executed, the worm checks for the file c:notworm. If this file exists, the thread goes into an infinite sleep.

If the c:notworm file does not exist, new threads are then created. Each thread may cause another thread to be spawned causing continually thread creation. The next 99 threads to attempt to exploit more systems by targetting random IP addresses, if the date is before the 20th of the month. The worm will not make such HTTP requests to the IP address of 127.*.*.* thus, avoiding the loopback address.

Further threads cause Webpages to appear to be defaced if the system's default language is U.S. English. First, the thread sleeps 2 hours and then hooks a function, which responds to HTTP requests. Instead of returning the proper Webpage, the worm returns its own HTML.

The HTML displays:

Welcome to http:// !

Hacked By Chinese!

This hook lasts for 10 hours and is then removed. However, reinfection or other threads can rehook the function.

Also, if the date is between the 20th and 28th, the active threads then attempt a Denial of Service attack on a particular IP address by sending large amounts of junk data to a port 80 (web service) of, which is

This IP address is no longer active.

Finally, if the date is greater than the 28th, the worm's threads simply are directed into an infinite sleep.

The multiple thread creation can cause system instability.

Removal instructions:

To remove the worm obtain and apply the patch located here and restart the system.

Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.


Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »