- Code Red II
-
Code Red II Type Server Jamming Worm Code Red II is a computer worm similar to the Code Red worm. Released two weeks after Code Red on August 4, 2001, although similar in behavior to the original, analysis showed it to be a new worm instead of a variant. The worm was designed to exploit a security hole in the indexing software included as part of Microsoft's Internet Information Server (IIS) web server software.
A typical signature of the Code Red II worm would appear in a web server log as:
- GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
- XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
- XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
- XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
- XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
- %u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801
- %u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3
- %u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0
Where the original worm tried to infect other computers at random, Code Red II tried to infect machines on the same subnet as the infected machine.
Microsoft had already released a security patch for IIS that fixed the security hole on June 18, 2001,[1] however not everyone had patched their servers, including Microsoft themselves.[2]
eEye believed that the worm originated in Makati City, Philippines (the same origin as the VBS/Loveletter (aka "ILOVEYOU") worm).See also
- Notable computer viruses and worms
- Nimda Worm
References
- ^ Microsoft (2001-06-18). "Microsoft Security Bulletin MS01-033". Microsoft TechNet. http://www.microsoft.com/technet/security/bulletin/MS01-033.mspx. Retrieved 2007-02-08.
- ^ Joris Evers (2001-08-09). "Microsoft Sees Red: Worm Infects Its Own Servers". IDG News Service. http://www.pcworld.com/article/id,57584-page,1/article.html. Retrieved 2007-02-08.
External links
- Original Analysis of Code Red II - analysis by Steve Friedl
- ANALYSIS: CodeRed II Worm - analysis by eEye Digital Security
Categories:- Exploit-based worms
Wikimedia Foundation. 2010.