Code Red Self Test
The Code Red Worm is a self-replicating piece of software that infects
IIS web servers by exploiting a well-known vulnerability, known as the IIS
ISAPI buffer overflow.
The worm, once infecting the host, will perform one of several different
actions, depending on the version of the worm involved, the language of
the system in use, and the value of the system clock. The worm:
|What is the Code Red Worm?|
- Scans the internet looking for additional servers that it can infect, (all
- Launches denial of service attacks against the White House's official Web Site. (original worm and a variant).
- Installs a backdoor accessible over the web (version II).
Code Red II
There are several known variants of the worm in the wild. The first were
limited in their damage because of a limitation in how they scanned for
new web servers to infect. The latest version, dubbed Code Red II, opens
a backdoor on your system allowing anyone access to your server, even if
you close the original hole that it exploited.
This particular worm is extremely aggressive in how it searches for
it's victim hosts. An infected machine searches the net for additional
IIS servers to compromise. For each host that it infects, the newly infected
host in turn joins all others in scanning, causing the rate of scanning to
|Why is this worm different?|
If you are running your browser from the same system running your web server,
simply click the following button to determine if your system is
susceptible to the Code Red Worm, and if you are already infected by Code Red II.
|Test Me Now|
The original worms did not do any damage to your system (other consuming
bandwidth and possible making you unpopular with other system administrators).
A simple reboot along with patching the security hole exploited would
solve your problem.
|How Do I Stop It?|
Code Red II
The latest worm is not so benign. While the second worm affects only Win2000
based systems running IIS servers, it does place a backdoor into the system
that essentially makes "cmd.exe" available for use through the web via two
A thorough analysis of the worm can be found
Currently, the safest course of action is to completely rebuild
your system and to properly harden it by applying the appropriate
patches from Microsoft. This may seem drastic, but remember
- Your system has been vulnerable for some time with a problem that
others may already have compromised in ways not obvious.
- If your system was infected with any of the Code Red worms, it has
been actively screaming at any webserver it can find on the net that
your system is vulnerable because the worm on it is trying to infect
The security bulletin issued by Microsoft that discusses the vulnerability
that these worms are exploiting is
About Us |
Contact Us |
Partner Programs |
Developer APIs |
Mailing Lists |
Security Audits |
Managed DNS |
Network Monitoring |
Site Analyzer |
Internet Research Reports
© 1998-2019 E-Soft Inc. All rights reserved.