Code Red II Variant on the Prowl | eWeek

Code Red II Variant on the Prowl

Verfasst von
Dennis Fisher
Dennis Fisher
Mar 11, 2003
2 minute read
eWeek Inhalte und Produktempfehlungen sind redaktionell unabhängig. Wir können Geld verdienen, wenn Sie auf Links zu unseren Partnern klicken. Mehr erfahren

Security experts are watching a new variant of the Code Red II worm that began appearing on some monitoring networks Tuesday. The worm is nearly identical to its ancestor, save for a modified drop-dead date that is now several thousand years in the future.

Known as Code Red.F, the worm uses the same infection method as the previous versions, attacking Web servers running Microsoft Corp.s IIS software. The worm so far has infected only a few machines, and because most administrators patched their servers after the initial Code Red outbreak in 2001, it is unlikely to spread extensively, experts say.

All of the Code Red worms exploit an unchecked buffer in the Index Server in the IIS software. They then spread by infecting one machine and then scanning a list of random IP addresses and attempting to connect to port 80. The original Code Red, which struck in July 2001, infected several hundred thousand IIS servers and caused massive traffic disruptions on some portions of the Internet.

Roger Thompson, the technical director of malicious code research at TruSecure Corp., in Herndon, Va., first began seeing new worm activity Tuesday morning. His WormCatcher network of distributed hosts monitoring activity on ports that worms commonly use started catching packets that were 3,818 bytes long coming in on port 80.

“After looking at it, it was quite obviously a Code Red II variant,” he said. “Its not going to be as bad as the previous version, but it will stay with us.”

Thompson said he had seen 20 unique infections as of Tuesday afternoon.

Like the first Code Red, this version of the worm code contains a date on which it is set to stop attempting to propagate itself. Code Red II died in October 2001, but Code Red.F wont exhaust itself for about 30,000 years, Thompson said.

The change in the drop-dead date and the fact that the buffer overflow is caused with a multitude of Xs instead of Ns are the only differences between Code Red II and its offspring.

Most Recent Security Stories:

Search for more stories by Dennis Fisher.
Find white papers on security.
For more security news, check out Ziff Davis Medias Security Supersite.

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Eigentum von TechnologyAdvice. © 2026 TechnologyAdvice. Alle Rechte vorbehalten

Werbetreibenden-Offenlegung: Einige der auf dieser Website erscheinenden Produkte stammen von Unternehmen, von denen TechnologyAdvice eine Vergütung erhält. Diese Vergütung kann beeinflussen, wie und wo Produkte auf dieser Website erscheinen, einschließlich beispielsweise der Reihenfolge, in der sie erscheinen. TechnologyAdvice schließt nicht alle Unternehmen oder alle auf dem Marktplatz verfügbaren Produkttypen ein.