Code Red II Variant on the Prowl
However, worm so far has infected only a few machines and is unlikely to spread extensively, experts say.Security experts are watching a new variant of the Code Red II worm that began appearing on some monitoring networks Tuesday. The worm is nearly identical to its ancestor, save for a modified drop-dead date that is now several thousand years in the future. Known as Code Red.F, the worm uses the same infection method as the previous versions, attacking Web servers running Microsoft Corp.s IIS software. The worm so far has infected only a few machines, and because most administrators patched their servers after the initial Code Red outbreak in 2001, it is unlikely to spread extensively, experts say. All of the Code Red worms exploit an unchecked buffer in the Index Server in the IIS software. They then spread by infecting one machine and then scanning a list of random IP addresses and attempting to connect to port 80. The original Code Red, which struck in July 2001, infected several hundred thousand IIS servers and caused massive traffic disruptions on some portions of the Internet.
Roger Thompson, the technical director of malicious code research at TruSecure Corp., in Herndon, Va., first began seeing new worm activity Tuesday morning. His WormCatcher network of distributed hosts monitoring activity on ports that worms commonly use started catching packets that were 3,818 bytes long coming in on port 80.
Find white papers on security.
For more security news, check out Ziff Davis Medias Security Supersite.