Code Red II spreading
Kevin Poulsen,
SecurityFocus
2001-08-05
New worm installs back doors as it works.
A new rapidly-spreading Internet worm that exploits the same vulnerability as last month's Code Red virus emerged over the weekend, and security experts are warning that it may be more malicious than the original.
The so-called Code Red II worm was spotted in the wild Saturday. It attacks Windows 2000 machines running the Microsoft IIS web server package. As with Code Red, only web servers are vulnerable -- home PC users are generally immune.
The new worm gets its name from a string of text found buried within it, "CodeRedII," the presence of which suggests that the worm's author found inspiration from the Code Red worm that first emerged July 11th, and spread to hundreds of thousands of servers worldwide.
Like its namesake, Code Red II spreads on its own power, cracking systems by exploiting a buffer overflow vulnerability in IIS that was discovered by eEye Digital Security in June. It can be blocked by downloading the latest IIS security patch from Microsoft.
Despite its similarities, Code Red II is not a variant of the Code Red virus.
Among other differences, the new worm creates a back door on every server it compromises, allowing attackers to gain access to the systems later, according to a joint analysis by eEye, and SecurityFocus' ARIS Incident Analysis team.
