Vigilinx sent out this press release with fear mongering and errata: "The worm could slow Internet speed or, in some instances, halt it completely."

Date: Mon, 30 Jul 2001 17:01:28 -0400
From: Jenny Fuerst (
Subject: 7/30 Vigilinx Alert Update: Code Red

I am sure you are already aware of the broad coverage Code Red has received
to date. In fact, according to a recent media advisory, several
organizations (such as Critical Infrastructure Assurance Office (CIAO),
Federal Computer Incidence Response Center (FedCIRC), National
Infrastructure Protection Center (NIPC), Information Technology Association
of America (ITAA), CERT Coordination Center, SANS Institute, and
Information Technology - Information Sharing and Analysis Center (IT-ISAC),
among others) are holding a press conference today in Washington, DC, to
address the "threat posed by  the Code Red Internet Worm and to advise
organizations with Internet-connected computer systems to take immediate
action to respond to the threat."

Vigilinx' Media Alerts Program provides media representatives with Security
Intelligence (SI) on the latest security threats, attack tools,
vulnerabilities, and viruses. It also informs media reps of global
geopolitical cyber events that may impact business or global e-commerce.
The alert below offers some updated information on Code Red. The purpose of
this alert is to underscore the importance of taking effective precautions
against Code Red. Vigilinx is the leading full-service provider of digital
security solutions.

The Code Red Worm is programmed to restart its life cycle at midnight GMT
on August 1, 2001 (7 p.m. EST July 31).  The worm could slow Internet speed
or, in some instances, halt it completely.  It is easy to prevent systems
from falling victim to the Code Red Worm.  Vigilinx encourages
administrators to patch their servers and update antivirus files
applications to prevent re-infection.

Please note the hot line at the end of this e-mail, which you may call
after hours for quotes from a Vigilinx security intelligence spokesperson.
You may also contact me at 614/888-1374 or at

Jenny Fuerst


Alert ID 2446

Alert Headline Worm: Code Red Version 1 and Version 2
Threat Category Malicious Code
Threat Technique Worm


Version 7

Published Date 7/30/01 12:05:59 PM



The Code Red worm restarts its life cycle beginning at midnight GMT on
August 1, 2001 (7:00 PM EST on July 31st).  Administrators should ensure
that all servers are patched and anti-virus files are updated to prevent
re-infection from this worm.

The worm is programmed to scan and propagate during the first 19 days of
the month, attempting to infect as many hosts as possible.  From the 20th
to the 27th of the month, the worm conducts a DoS attack against  The worm lies dormant from the 28th until the end of
the month.

The original worm and the unnamed variant (Version 2) are only slightly
different.  The randomization problem was corrected in Version 2 by
replacing the seconds and milliseconds of the system time as the seed,
which prevents the worm from beginning the Internet scan from the same IP
address and allows it to propagate faster.

Additionally, the defacement routine is not accessed in Version 2, which
prevents the worm from defacing web sites.  This also prevents users from
noticing that the Code Red variant has infected their system.

Code Red exploits a Microsoft Internet Information Service (IIS)
vulnerability that involves an ISAPI buffer overflow. The vulnerability,
which is described in Vigilinx Alert 2337, allows a remote attacker to gain
complete control of the target server.

The worm checks for the existence of the file notworm in the root
directory.  If it exists, the worm scans the Internet for vulnerable IIS
servers.  Once a vulnerable system is found, the worm remotely exploits the
IIS vulnerability and infiltrates the system.  If the worm defaces the web
site on the web server, it replaces the request for the original file with
a file containing the text "Welcome to! Hacked By

The original Code Red worm defaces web sites, but both worms attempt to
perform a distributed denial of service (DDoS) attack if the system time is
greater the 20:00 UTC.  The worm creates a loop, causing it to send a
single byte to approximately 98,000 times.

Aliases include W32/Bady.worm and CodeRed.A.


Systems running unpatched versions of IIS are vulnerable.


The purpose of this re-amplification is to underscore the importance of
taking effective precautions against Code Red.  The following paragraphs
provide background and worm characteristics:

The original worm code analysis released July 13 included the code of the
"variation."  Additional analysis of the worm code indicates that the
seconds and milliseconds used by the worm determine the IP address seed.
The number of threads and the language of the server may determine if a web
site is defaced.  Other sites and administrators were reporting the
"variant" as early as July 22.  Administrators were reporting that their
IIS 3.0 and 4.0 servers where not being defaced, but were infected and
performing the other actions associated with the worm.  These servers were
also crashing because of the buffer overflow exploit and the huge log files
that were being created by the worm's activities.

Due to the scanning of infected IIS servers, attackers monitoring their own
firewall and intrusion detection systems can create a list of infected and
vulnerable servers.  Attackers can manually exploit this vulnerability,
gain root access, and then completely compromise the system with a trojan,
back door, or other malicious code.

Sources indicate that the Code Red worm has a specific life cycle that it
follows as it propagates and executes DDoS attacks.  During the first 19
days of the month, the Code Red worm focuses its efforts on propagation in
an attempt to infect as many hosts as possible.  From the 20th to the 27th
of the month, the worm conducts a DoS attack against
The worm lies dormant from the 28th until the end of the month.  Current
analysis indicates that this life cycle continues indefinitely.

The propagation method used by this worm sends certain requests that may
cause Cisco DSL routers 675, 677, and 678 to hang.  These routers must be
restarted to return normal functionality.  A similar vulnerability
concerning malformed requests to Cisco routers is discussed in Vigilinx
Alert 1504.  Cisco has also reported that vulnerable versions of Microsoft
IIS run on Cisco's CallManager, Unity Server, uOne, and Integrated
Communications System (ICS) 7750.

This worm is similar to Sadmind/IIS, which also uses an IIS vulnerability
to infiltrate the system.  Sadmind/IIS is described in Vigilinx Alert 2184.

The worm exploits the .ida. vulnerability in Microsoft IIS servers.
Microsoft has released a bulletin, patch, and additional information for
securing this vulnerability.  Administrators are encouraged to patch their
systems immediately to protect against the infection and propagation of
this worm.

Patches and antivirus updates are available to block infection by this
worm.  Regardless, there is potential that the large amount of traffic this
worm generates through its scanning and propagation will adversely affect
overall Internet performance


This worm scans the Internet for IIS machines that have not been patched
and are susceptible to a recent IIS vulnerability. The routine used to scan
for IP addresses is not very random, causing the beginning IP addresses to
be continually scanned by each newly infected host.  This may cause a
denial of service (DoS) on some of those systems.

However, the second version of Code Red fixed the randomization routine,
allowing it to scan and infect the entire Internet quickly. The worm
infiltrates vulnerable systems and the original version of Code Red
attempts to deface the web site.

The worm also attempts to perform a DDoS attack against


Microsoft has released Security Bulletin <>MS01-033 to address this


All customers are encouraged to install the patches provided by Microsoft.

SANS reports that the worm seems to disappear if the infected machine is
turned off.  Vigilinx has been unable to confirm this.  However, if this is
true, this only eliminates the memory- resident worm.  If the system is not
patched it will remain susceptible to re-infection.

If for some reason customers cannot install the patch immediately, use the
IIS Internet Services Manager to remove the script mappings for .idq and
.ida files.  However, this is only a temporary fix because these mappings
could be automatically reinstated if additional system components are added
or removed.

Customers are not vulnerable if they have installed Index Server or Index
Services, but not IIS.  Customers also are not vulnerable if the script
mappings for Internet Data Administration (.ida) and Internet Data Query
(.idq) are not present.

Intrusion Detection Systems (IDS) that are capable of detecting an .ida
overflow should detect the attack.  In addition, the following is part of
the packet data that can be used to set the IDS to monitor for this
information and possibly prevent infiltration:










%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0"


Microsoft has released patches for Windows NT 4.0, Windows 2000
Professional, Server, and Advanced Server.  The patches can be downloaded
from the following links:

Windows NT

2000 Professional, Server, and Advanced Server

Patches for Windows 2000 Datacenter Server are hardware-specific and should
be obtained from the original equipment manufacturer.

A DAT file from McAfee to detect Code Red will be available on July 25 and
can be obtained at the following link:

DAT files 917 and newer from Trend Micro to detect Code Red are available
at the following link: Trend


Version 6
July 27, 2001; 04:33 PM :The Code Red Worm is programmed to re-start its
life cycle at midnight GMT on August 1, 2001.  Administrators should insure
servers are patched and anti-virus files are updated to guard against

Version 5
July 23, 2001; 02:15 PM: A new variant of the virus has been discovered in
the wild.  The latest version corrects the randomization of Internet
Protocol (IP) addresses being scanned and does not deface web sites but can
cause the IIS server to crash.

Version 4
July 20, 2001; 10:39 AM:  Vigilinx has received new information describing
the extent of the Code Red worm outbreak and information describing its
life cycle.  Patches are available to prevent infection from this worm and
to repair the vulnerability that this worm exploits.

Version 3
July 19, 2001; 07:50 PM: Detailed analysis of the worm has been made
available.  Additional information concerning another worm payload to
perform a distributed denial of service (DDoS) attack against the web site has been provided.  The worm has also been reported to
cause a denial of service in some Cisco DSL routers.

Version 2
July 18, 2001; 06:25 PM: More information concerning the name of the worm
and its propagation method has been made available.  Antivirus software is
being developed to detect this worm and possible IDS methods are available
to detect an attack.

Version 1
July 17, 2001; 02:58 PM: Reports indicate a new worm is available that uses
a recent Microsoft Internet Information Service (IIS) exploit to infiltrate
vulnerable systems.  Microsoft has released a patch to prevent the
exploitation of this vulnerability.

Copyright 2001 by Vigilinx
The urgency and severity ratings of this alert are not tailored to
individual users; users may value alerts differently based upon their
circumstances. The information within this alert may change without notice.
Use of information in this alert is governed by the terms of the Subscriber
Agreement signed by the user and is subject to the limited warranty and
limitations of liability contained therein. Unsubscribe You are currently
subscribed to Vigilinx Intelligence Alert email. To unsubscribe, send a
blank email to: To change your email address,
please send your old and new addresses to:


Vigilinx understands the urgency involved in gathering quotes and
background information on breaking virus stories.As a recipient of Vigilinx
Intelligence Alerts (VIA), you have access to a 24-hour hotline that
connects you directly to a quotable and knowledgeable member of the
Vigilinx Intelligence team.To help us meet your deadline and quickly
provide you with the information you need, we ask that the hotline is only
used for gathering quotes and more information on breaking virus stories.If
you would like to interview please call Tara Rogers at (614)825-1801, or
send an email request to

VIA HOTLINE: 888-698-4600 (domestic) / 614-336-4144 (International)

The VIA was established to provide a select group of technology editors and
virus reporters with an easy and free means to monitor and track major
virus threats. It is designed to give you the raw information you need to
write an article on a quickly breaking virus story.The VIA are compiled
from diverse information sources and include highlyaccurate analysis of the
full range of security threats and vulnerabilities. This analysis provides
not only detailed, technical descriptions, but also an objective analytical
assessment that identifies specific vulnerability characteristics and
prerequisites. The end result is a realistic and carefully measured
appraisal of the true extent of defensive action required.

Visit Vigilinx on the Internet at

Jenny J. (Phillips) Fuerst
Account Executive
Lord, Sullivan & Yoder Public Relations
250 Old Wilson Bridge Road
Columbus, Ohio 43085
p: 614.888.1374
f: 614.846.2780

See how we think! Visit our Web site at

main page ATTRITION feedback