Code Red and Blue Worms
Last updated: 9/18/01
MS Security bulletin - Code Red Worm
The following is a Security Bulletin from the Microsoft
Please do not reply to this message, as it was sent from
The Microsoft Security Response Center, along with other
organizations listed below, is jointly publishing this
ALL IIS ADMINISTRATORS ARE ASKED TO READ
A Very Real and Present Threat to the Internet:
July 31 Deadline For Action
The Code Red Worm and mutations of the worm pose a
continued and serious threat to Internet users. Immediate
is required to combat this threat. Users who have deployed
software that is vulnerable to the worm (Microsoft IIS
Versions 4.0 and 5.0) must install, if they have not
already, a vital security patch.
How Big Is The Problem?
On July 19, the Code Red worm infected more than 250,000
in just 9 hours. The worm scans the Internet, identifies
vulnerable systems, and infects these systems by installing
itself. Each newly installed worm joins all the others
the rate of scanning to grow rapidly. This uncontrolled
in scanning directly decreases the speed of the Internet
can cause sporadic but widespread outages among all types
systems. Code Red is likely to start spreading again
July 31st, 2001 8:00 PM EDT and has mutated so that it
even more dangerous. This spread has the potential to
business and personal use of the Internet for applications
as electronic commerce, email and entertainment.
Who Must Act?
Every organization or person who has Windows NT or Windows
systems AND the IIS web server software may be vulnerable.
IIS is installed automatically for many applications.
are not certain, follow the instructions attached to
whether you are running IIS 4.0 or 5.0. If you are using
Windows 95, Windows 98, or Windows Me, there is no action
you need to take in response to this alert.
What To Do If You Are Vulnerable?
a. To rid your machine of the current worm, reboot your
b. To protect your system from re-infection:
Install Microsoft's patch for the Code Red vulnerability
- - Windows NT version 4.0:
- - Windows 2000 Professional, Server and Advanced Server:
Step-by-step instructions for these actions are posted
Microsoft's description of the patch and its installation,
and the vulnerability it addresses is posted at:
Because of the importance of this threat, this alert
being made jointly by:
The National Infrastructure Protection Center
Federal Computer Incident Response Center (FedCIRC)
Information Technology Association of America (ITAA)
CERT Coordination Center
Internet Security Systems
Internet Security Alliance
For security-related information about Microsoft products,
please visit the Microsoft Security Advisor web site at http://www.microsoft.com/security.
9/18 10:48 AM EST Code Red Worm
is back. The following is a notice from my web site hosting
service this AM:
Network Problems. Beginning around 9:20am this morning, a terrific volume
of Windows NT-based probes began to hit our network. These probes are randomly
generated by Windows NT servers on the Internet that have been infected by
the Code Red worm or other variations. Although these probes present no threat
to our FreeBSD servers, the volume of traffic is reducing performance for
some servers. We are working to mitigate the effect on servers, as well as
to restore service to any server that crashes under load. We are currently
receiving over 8000 hits per second from as many as one hundred thousand
NT servers on the Internet. Network performance has not been affected. If
you have a Windows NT or 2000 server/device (running Microsoft Internet Information
Services, Version 4.0 or 5.0) on
the Internet and have not fixed this problem yet, don't you think it is time
to take steps right now to do your part to squash this worm?
Blue Worm Deemed Bigger Threat Than Code Red. Code Blue is
deemed to be more threatening to users than earlier Code Red variants
because, unlike Code Red, Code Blue gradually increases its usage of
system resources and, if not stopped, can bring computers running Windows
NT or Windows 2000 to a halt...
Fight off Code Red Threat
Week In Security: Code Red Inspires New Tools; Symantec's New Appliance
Early Efforts Nip Code Red Worm. Following
a concerted effort to make computer users aware of the viruslike Code
Red worm, the FBI said Thursday that the worm's damage will be far
less than originally feared when it enters its scheduled "attack
mode" this weekend.
Red II Virus Attacks HK Government Servers
MCSE Training Comes Under Fire. IT
Professionals and trainers are blaming insufficient security training
offered under the nationwide Microsoft Certified Systems Engineer
program for contributing to the spread of Code Red and other damaging
Firm Blamed For Code Red Costs. 'Was it really necessary to
release full details of the IIS buffer overflow that made the Code
Red I and II worms possible?'
Red Creates Hacker Hit List. Anyone with a list of these
wide-open boxes, gleaned from their server logs, has the potential
to anonymously take over a few thousand servers overnight, with full
Red': The Virus That Will Not Die. The worm has attacked 400,000
to 800,000 server computers since it first struck in mid-July. The
worldwide economic impact: $2.1 billion and counting.
Red III Alert In Korea May Be False Alarm - Expert. Nothing
really concrete one way or the other in this most recent story.
Red III Detected in South Korea. The
Code Red III worm spreads even faster than earlier versions and leaves
a wider "back door" on infected machines.... 43,201 servers
infected so far.
Red Virus 'Most Expensive in History of Internet.' The economic
cost of the original Code Red worm and its more malicious cousin, Code
Red II, has risen to more than $2 billion.
Fails to Patch Hotmail Servers, Hit by Code Red. Proving
again that it doesn't practice what it preaches, Microsoft Corp.
on Thursday confirmed that the Code Red worm infected two servers
used for its Hotmail Web-based e-mail service.
Red II Computer Worm Spreads in U.S. Computers
Prompt AT&T to Unplug Customer Sites. To
keep the spread of the Code Red worms from slowing down its cable Internet
network, AT&T is blocking access to Web servers that residential
customers are running, a spokeswoman said Wednesday.
Red Hits DSL Routers, Cable-MODEM Networks. Time-Warner's RoadRunner
service issued an advisory to its customers this week, acknowledging
that customers "may experience slow network response, flashing
connectivity lights on the cable modem, and other activity, such as
unusual port scan log activity or increased firewall activity." As
Code Red in its approximately four variations has spread, it has also
impacted Qwest DSL customers, which saw their Cisco DSL routers - which
include a Microsoft Internet Information Server interface embedded
in them - knocked off-line...
Writing Group Denies Involvement With Code Red
Releases Code Red Cleanup. The cleanup tool is designed to "eliminate
the obvious effects of the Code Red II worm." It does
not install the patch released by Microsoft correct the buffer-overflow
bug in the IIS Web server. It may not fix other worms, etc. installed
using the back door installed by Code II. Scans looking for servers
with the back door are being detected. Tool
description and download.
a Virus? You're Sued! Analysts are
now predicting that those who have been lax in their security practices
will begin to find themselves on the losing end of civil suits for
Worm's Sequel Becomes More Damaging Than Original. "In
the next few days I expect you'll see kids scanning around for systems
that have this unlocked back door, looking for a way to take advantage
of it," Blake said. Machines already infected with Code
Red can be re-infected with Code Red II. Computer users with
cable modems are seeing one of the side effects of Code Red II's search
for servers to infect. These users, including those using the
Road Runner system in Texas, are seeing a rapidly flashing data light
on their modems.
Red II Worms Its Way Deeper Into Internet. Costing
nearly $2 billion and on its way to becoming one of the most expensive
security threats to hit the Internet. "We're already seeing reports
of denial of service attacks starting up..." Some slowdowns
for U.S. cable modem networks.
Red-Like Worm 'Storming Back'. Called "Code Red C" or "Code
Red II" by some researchers... Fearnow, SANS Institute incident
handler, said from Indianapolis that about 100,000 systems were infected
Sunday, and in a "conservative" estimate, another 50,000
to 100,000 may be victimized through Monday.
Red II Crashes Dinner for Internet Experts. "The
cumulative effect of all those (infected) boxes being available is
probably going to be significantly worse than anything we've seen thus
Red Cuts Off Qwest DSL Service. 'The vast majority Qwest's
360,000 DSL customers are not affected.'
Code Red: Worse Than the First? A new and
possibly more virulent version of the worm was detected circulating
the Internet over the weekend, attacking machines and leaving them
vulnerable to other intruders. More
Serious Code Red II Worm on the Loose. Installs
a backdoor in servers that allows attackers to easily access the infected
computer, gain control of the machine by changing passwords, and giving
them the ability to copy, browse, and delete files.
8/1 (Updated) Code
Red Worm is Scanning the Internet... The
Code Red worm is active and looking for servers to infect. The
increasing activity “is indicative of the first phase of operation
for the worm, in which it scans random IP address for systems to compromise,”
CERT reported. “These reports indicate that the number of compromised
systems is increasing exponentially.”
Red Damage Will Hinge On Voluntary Patching. If users don't
download patches for the more than 6 million computers that are vulnerable
to the virulent Code Red worm before the virus wakes from its dormancy
tonight, the next outbreak of the worm could cause more harm than the
to Protect Your Computer from The 'Code Red' Worm
Offer Tips on Foiling Code Red
Red Worm Carries Larger Warning. Federal computer security
experts are using the Code Red computer worm to raise agency executives'
awareness that a formal process is needed for fixing problems that
make systems vulnerable to such attacks.