RE: "Code Red" worm questions

From: Eric Chien (ecchien_at_yahoo.com)
Date: 07/19/01


Here are my DRAFT notes that may eventually appear on Symantec's threat
info sites.

...Eric

The CodeRed worm affects systems running Microsoft Index Server 2.0 or the
Windows 2000 Indexing service. The worms uses a known buffer overflow
contained in ISAPI.DLL. Information and a patch regarding this
vulnerability can be found at:
http://www.microsoft.com/technet/security/bulletin/MS01-033.asp.
Administrators are encouraged to apply this patch to prevent infection from
this worm and other unauthorized access.

The worm sends its code via a HTTP request. This code exploits the buffer
overflow causing the worm to be executed on the system. The code is not
saved as a file, but injected and executed directly from memory. Patching
ones system and rebooting will remove the worm and prevent further infection.

In addition to seeking out new hosts to attack, the worm may attempt a
denial of service attack. Also, the worm creates multiple threads (many of
which simply sleep), which can cause instability of the system.

Also Known As: W32/Bady

Category: Worm

Infection Length: 3569

Threat Assessment:

[Medium] [Medium] [Low]
Wild:
Medium Damage:
Medium Distribution:
Low

Wild:
Number of infections: More than 1000
Number of sites: More than 10

Damage:
Payload:
Degrades performance: Will spawn multiple threads and utilize bandwidth.
Causes system instability: Will spawn multiple threads.

Distribution:
Target of infection: Unpatched systems running Microsoft Index 2.0 or
Windows 2000 Indexing Service

Technical description:

The worm sends its code as an HTTP request. The HTTP request exploits the
buffer overflow causing the worm to be executed on the system. The
malicious code is not saved as a file but injected and executed directly
from memory.

Once executed, the worm creates an empty file c:\notworm as a marker that
the initial main thread has occured.

New threads are then continuously created. The first 100 threads to attempt
to exploit more systems by targetting random IP addresses, if the date is
before the 20th. The worm will not make such HTTP requests to the IP
address of 127.*.*.* thus, avoiding the loopback address. However, systems
can become infected again.

Further threads cause webpages to appear to be defaced if the system's
default language US English. First, the thread sleeps 2 hours and then
hooks a function, which responds to HTTP requests. Instead of returning the
proper webpage, the worm returns its own HTML.

The HTML displays:

Welcome to http:// www.worm.com !

Hacked By Chinese!

This hook lasts for 10 hours and then is removed. However, new threads that
are created can then rehook the function.

Also, if the date is between the 20th and 28th, the worm attempts a Denial
of Service attack on a particular IP address by sending large amounts of
junk data to a specific high port.

Finally, if the date is greater than the 28th, the worm's threads simply
are directed into an infinite sleep.

The continual thread creation (many of which simply sleep) can cause system
instability.

Removal instructions:

To remove the worm obtain and apply the patch located at
http://www.microsoft.com/technet/security/bulletin/MS01-033.asp and restart
the system.
The file c:\notworm can also be deleted.

----------------------------------------------------------------------------

This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see:

http://aris.securityfocus.com



Relevant Pages

  • Re: My Doom Creators - incomprehensible
    ... your project is not a target; a worm has ... Usenet newsgroup using what appears to be a valid email address. ... e-mail for virus infection. ... the worm can harvest a lot of e-mail addresses to send itself to. ...
    (microsoft.public.security.virus)
  • Re: Sophisticated Bogus Microsoft Patch SPAM
    ... Below is a description of the 'swen' worm and its effects. ... e-mail for virus infection. ... I must empty my mailbox every 5 minutes, ... ISP; send them this URL ...
    (microsoft.public.security.virus)
  • Re: Watch out for this
    ... The 'swen' worm and its effects, ... there is not much you can do to stop the flood. ... e-mail for virus infection. ... You can use a remote virus scan from one of the antivirus program ...
    (microsoft.public.security.virus)
  • Re: Reducing Spam Associated with Posting to Newsgroups
    ... The flood of e-mail is being generated by the 'swen' worm. ... e-mail for virus infection. ... other active newsgroups .) ...
    (microsoft.public.security.virus)
  • Re: Mailbox is full
    ... The flood of e-mail is being generated by the 'swen' worm. ... Only your ISP can stop the flood of 'swen' generated e-mail; ... e-mail for virus infection. ...
    (microsoft.public.security.virus)