You've probably read the news by now: A new version of the Code Red worm, dubbed Code Red II, is spreading rapidly across the Internet. Is that news any surprise? The new Code Red worm is far more dangerous than previous versions—it spreads more effectively and also installs a Trojan horse that creates backdoors within Microsoft IIS.
On Monday, August 6, we posted a survey on the Windows IT Security Web site that asks whether any version of the Code Red worm has infected your systems. As of August 8, nine people have admitted that the worm has infected their systems. If you ask me, that's nine too many. If you haven't patched your IIS systems to protect against the Code Red worm, this is the time to do so. Go to the "Code Red Worm on the Loose" under Security News on the Windows IT Security Web site for related news on Code Red and the Microsoft security bulletin MS01-033 and patch. Also, be sure to read Randy Franklin Smith's article, "Code Red and Proactive Security" on the Windows IT Security Web site
Speaking of patches, I've read a couple of recent posts on the Bugtraq mailing list that indicate a problem might exist with the Microsoft patch listed in bulletin MS01-033. A few people have reported that after they installed the patch, their systems remain immune to Code Red infection. However, when an infected system attempts to connect to their system to infect it, several IIS services (e.g., FTP, the default Web site, the administrative Web site, and the proxy service) stop processing.
In addition, users on our Win2KSecAdvice mailing list report that Code Red worm variants are affecting Cisco 600 series routers because the routers use a Web service on port 80. Users report that even when their systems run Cisco's latest firm revision (CBOS 2.4.2), and they have disabled the Web interface, the routers stop passing traffic when the worm confronts the routers. Some readers have suggested workarounds that help deter the effects of the Code Red worm.
If you're interested in a detailed analysis of how the new Code Red II operates, read eEye Digital Security's Code Red II report, which we published on our Win2KsecAdvice mailing list last weekend. In addition, the Computer Emergency Response Team (CERT) has published a good overview of how the Code Red worm works.