A new worm, dubbed Code Red II, is attacking Web servers and carries an entirely different payload from the original Code Red worm. eEye Digital Security performed a detailed analysis of the Code Red II worm after the SecurityFocus ARIS Project came forward with information about the new threat.
According to eEye, the new Code Red II worm is much more dangerous than the original worm. Code Red II attacks Microsoft Internet Information Server (IIS) running on Windows 2000 systems using the same security-related bug in IIS that the original Code Red worm exploited. To prevent infection, apply Microsoft patch MS01-033 to all Win2K-based IIS systems.
Once inside a system, Code Red II creates files in the MSDAC and SCRIPTS IIS-related directories. The worm creates a file called root.exe, which is a copy of cmd.exe—the Win2K command shell. In addition, the worm creates a Trojan horse on the system by injecting binary code into the explorer.exe file, which runs the Win2K desktop. Every time someone logs onto the system where explorer.exe runs, the Trojan horse disables Windows system file protection, which guards against unwanted changes to critical system files. The Trojan horse also creates four virtual directories under IIS, which includes direct mappings to the C and D drives and mapping to the MSDAC and SCRIPTS directories. According to eEye, this series of actions might provide an attacker with a backdoor into the system even if the user removes the root.exe file.
To determine whether your systems are infected, Mark Maiffret of eEye recommends that users "look for the existence of the files c:\explorer.exe or d:\explorer.exe. Also check your IIS MSDAC and SCRIPTS folders to see if the file root.exe exists. If it does, you have most likely been infected with this worm." Maiffret also said that an older unicode-based worm, Sadmin, also renamed the cmd.exe file to root.exe, so the presence of root.exe might indicate a previous infection of Sadmin and not necessarily a Code Red II-related infection.
Although the original Code Red worm spawned some 100 system threads in an effort to propagate, the Code Red II worm spawns 300 threads and will spawn 600 threads if the system is a Chinese language version of Win2K. eEye said the new worm can more effectively generate random IP addresses, which can let the Code Red II worm spread faster than the original worm.
The worm also includes date checking, which examines the month to see if its less than 10 and the year to see if its less than 2002. So the worm mostly likely will stop functioning after September 2001.
