Tools:   Web Probe  |  World-Wide WHOIS  |  Trace Route  |  Nimda Self Test  |  Code Red Self Test  |  W32.Bugbear
Code Red Self Test

What is the Code Red Worm?
The Code Red Worm is a self-replicating piece of software that infects IIS web servers by exploiting a well-known vulnerability, known as the IIS ISAPI buffer overflow. The worm, once infecting the host, will perform one of several different actions, depending on the version of the worm involved, the language of the system in use, and the value of the system clock. The worm:

Code Red II
There are several known variants of the worm in the wild. The first were limited in their damage because of a limitation in how they scanned for new web servers to infect. The latest version, dubbed Code Red II, opens a backdoor on your system allowing anyone access to your server, even if you close the original hole that it exploited.

Why is this worm different?
This particular worm is extremely aggressive in how it searches for it's victim hosts. An infected machine searches the net for additional IIS servers to compromise. For each host that it infects, the newly infected host in turn joins all others in scanning, causing the rate of scanning to grow exponentially.

Test Me Now
If you are running your browser from the same system running your web server, simply click the following button to determine if your system is susceptible to the Code Red Worm, and if you are already infected by Code Red II.

How Do I Stop It?
The original worms did not do any damage to your system (other consuming bandwidth and possible making you unpopular with other system administrators). A simple reboot along with patching the security hole exploited would solve your problem.

Code Red II
The latest worm is not so benign. While the second worm affects only Win2000 based systems running IIS servers, it does place a backdoor into the system that essentially makes "cmd.exe" available for use through the web via two different mechanisms. A thorough analysis of the worm can be found here.

Currently, the safest course of action is to completely rebuild your system and to properly harden it by applying the appropriate patches from Microsoft. This may seem drastic, but remember

  1. Your system has been vulnerable for some time with a problem that others may already have compromised in ways not obvious.
  2. If your system was infected with any of the Code Red worms, it has been actively screaming at any webserver it can find on the net that your system is vulnerable because the worm on it is trying to infect other systems.

The security bulletin issued by Microsoft that discusses the vulnerability that these worms are exploiting is MS01-033.

© 1998-2022 E-Soft Inc. All rights reserved.