Yellow alert called for Code Red II worm

The Code Red worm has slithered its way back into the news, but top security vendors have declared only a yellow alert.

Starting in August 2001, the CodeRed.C worm, also known as CodeRed.II wreaked havoc around the world, rapidly infecting 300,000 servers.

Similar to the initial Code Red worm, this iteration added a back door, or Trojan program on the machines it infected, giving remote attackers total control of the system, according to Helsinki, Finland-based F-Secure Corp.

As of Tuesday, Symantec Corp.’s Security Response confirmed the presence of CodeRed.C’s feral little brother.

First appearing in the wild 18 months ago, this mutation of the fast spreading CodeRed.C, dubbed CodeRed.F,is on the loose, but F-Secure Corp. says the worm’s’ destructive potential is low. Differing by only two bytes of data from CodeRed. C, it exploits the same vulnerability in Microsoft Corp.’s Internet Information Server (IIS), causing a buffer on Microsoft’s Web servers.

It spreads for 19 days and then stops. Afterwards for one day only, it launches a denial-of-service (DoS) attack against the White House at, and then becomes dormant. The cycle repeats each month.

However, unlike CodeRed.C, the CodeRed.F worm is not self-terminating. The two-byte alteration changes the aspect of CodeRed.C that stopped it from spreading at the end of 2002. As a result, Code.Red.F will spread indefinitely, according to F-Secure.

CodeRed.F is treatable by the same patch as the initial Code Red virus, thus F-Secure says the number of casualties is likely to be low, most of them being home machines without a firewall or antivirus software, and forgotten Web Servers.

– With files from IDG News Services