Study: Code Red costs top $2 billion

The worldwide labour costs associated with cleaning up the Code Red worm and its variants, including the still-rampaging Code Red II, now total more than US$2 billion – and are rising, according to one research firm tracking the menace.

With an estimated 760,000 computers infected, Carlsbad, Calif.-based research firm Computer Economics Inc. estimates labour costs to date associated with repairing corrupted systems at $1.29 billion, with another $716 million consumed by lost productivity among affected users and IT support and help desk staffs.

Code Red and Code Red II, a more virulent sequel worm that began attacking systems worldwide in early August, exploit a known hole in Microsoft Corp.’s Internet Information Server (IIS) software. A patch for the vulnerability has been available since mid-June.

But there’s no imminent end in sight to the worms’ spread, said Computer Economics vice-president of research Michael Erbschloe. “My sense is we’re sort of the middle of it. It’s kind of hard to call. We know people still are downloading patches from the Microsoft site.”

Code Red’s final cost is unlikely to eclipse the $8.7 billion price tag Computer Economics hung on damage attributable to the Love Bug, a virus that swept through the IT landscape last year, he said.

“If people don’t get these servers patched, this is going to go on forever, and yes, it could be more (costly) than Love Bug. But I’m really anticipating patching before that point,” he said.

Computer Economics came up with its estimates by studying various news reports and expert analyses to determine a “consensus” figure for the number of computers and servers affected worldwide, Erbschloe said. The firm then lined that number up against its previously collected benchmarking data to determine an average per-server clean-up cost (ranging from $300 to more than $1,000, according to Erbschloe). Those figures, combined, led the company to its $2.05 billion “total economic impact worldwide” statistic.

Because Microsoft’s IIS software runs on Windows NT and 2000, operating systems most commonly used by businesses, home users have been relatively unscathed by Code Red and Code Red II. Systems running Microsoft Windows 95, 98 or ME are unaffected by the virus. But devices like routers that are running IIS and are used in home networking systems, as well as high-speed Internet access networks used by consumers, could be vulnerable.

However, some cable modem service operators said they’ve seen little Code Red impact on their networks.

“We’re continually monitoring the situation, and the impact has been minimal,” At Home Corp. spokeswoman Estela Mendoza said. At Home, known by its Excite@Home brand, operates a cable modem network that serves 3.6 million residential users.

“I think things are going pretty well. We continue to have had a minimal impact from it,” said Mike Luftman, a spokesman for AOL Time Warner Inc., which operates the Road Runner cable modem service. The worm has affected fewer than 1,000 of the company’s 1.2 million residential customers, he said.

Road Runner and Excite@Home have experienced some localized slowdowns, but no uncontrollable breakouts, the representatives said. Both said the cost of fighting Code Red would be minor for their companies.

Two major DSL (digital subscriber line) providers also expressed no worries about the worms’ impact. Code Red has had minimal effect on network operations because there was enough advance planning and warning issued to customers, representatives of both providers said, asking that their companies not be identified.

Computer Economics, in Carlsbad, Calif., can be reached at AOL Time Warner, in New York, can be contacted at At Home Corp., in Redwood City, Calif., can be reached at