A new and potentially more serious version of the Code Red computer worm began circulating over the weekend, according to several computer security-related companies and services.
Code Red II is said to be more aggressive than the original worm because it installs a backdoor in servers that allows attackers to easily access the infected computer. Once logged in through the backdoor, attackers can gain control of the machine by changing passwords and also have the ability to copy, browse or delete files.
Like the original Code Red, the new worm targets computers running Microsoft Corp.’s Windows 2000 and Windows NT 4.0 operating systems and the Internet Information Server (IIS) software, said Computer Associates International Inc. Personal computers running other operating systems, including other versions of Windows, are not targeted by Code Red or Code Red II. Neither are Windows 2000 machines that are not running IIS.
Code Red II is not a variant of the original Code Red, according to Security Focus Inc., but rather a brand new worm that shares signatures of the original and imitates the method of attack. Machines already infected with Code Red can be re-infected with Code Red II, and it may be more difficult to detect because it automatically dies after two days, said Security Focus.
Server operators are said to be able to recognize the new version of the worm by a string of letter “X”s it sends in place of the “N”s sent by the original version, said the Incidents.org security Web site.
The good news is that the new worm does appear to be stopped by the Code Red patch that is available from Microsoft and already installed on thousands of computers, according to CA. Microsoft’s patch and related information is available at http://www.microsoft.com/technet/itsolutions/security/topics/codealrt.asp.
Security Focus recommends server administrators who have not already downloaded the Code Red patch from Microsoft do the following: Download Microsoft’s patch from the Internet; disconnect your machine from the Internet; reboot your system to clear the worm from memory; apply the patch to prevent re-infection; reboot your system; reconnect to the Internet.
Code Red was originally discovered in mid-July, shortly before it caused infected machines to launch a denial of service attack against the White House Web server. The worm lay dormant from July 27 until the end of the month, when it reactivated and began to infect computers again.
