(No surprise that new builds will be more destructive. Hard to believe that people still haven't applied the patch. Link)
"A new version of the Code Red worm, a self-propagating malicious computer program that exploits a known Microsoft IIS web server software vulnerability to comprise Microsoft Windows 2000 computer systems is currently spreading in the field.
Unlike previous versions, the new variant of Code Red manipulates system settings, alters Windows files, and drops and launches a trojan program resulting in leaving the infected computer open to remote connection and compromise.
Please note that the analysis below is preliminary. Computer Associates anti virus researchers are sill investigating the worm and any updates on the analysis will be published on Computer Associates Web site.
Preliminary results indicate that the worm will only work on Windows 2000 systems running vulnerable version of Microsoft IIS. After infecting a machine the worm copies CMD.EXE to the
\inetpub\scripts
and
\program files\common files\system\msadc on the C: and D: drives of the attacked systems.
The worm will than start scanning the network for other infectable system in order to spread. The attack runs for 24 hours, 48 hours if it is a Chinese language system.
After executing the attack code, the worm drops a file called Explorer.exe into the root directories of the C: and D: drives. The dropped file is 8,192 bytes in size. Next the system is rebooted and the dropped trojan file is executed during the boot process.
The trojan first launches the original Windows Explorer, than disables Windows system file protection that prevents applications from modifying system files by setting
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable=0xFFFFFF9D
The default value for this setting is 0.
After that the trojan creates 2 virtual IIS directories called C and D that are mapped to the root directories of the C: and D: drives by manipulating values of the
HKLM\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots
key.
These virtual directories are created with read, write and execute privileges effectively giving hackers full access to the C: and D: drives of an infected system through IIS.
After that the trojan goes into a loop and will redo the registry changes outlined above every 10 minutes.
The worm itself cannot be detected by anti virus software because it is not file based. Most AV software will catch the dropped trojan when it is written to disk. However if a system has been infected and rebooted before the appropriate signature was installed, it is very hard to determine if a hacker accessed that system after it was compromised and what kind of changes have been done to the system. In this case the only completely safe way to disinfect an infected system is to completely reinstall it."
"A new version of the Code Red worm, a self-propagating malicious computer program that exploits a known Microsoft IIS web server software vulnerability to comprise Microsoft Windows 2000 computer systems is currently spreading in the field.
Unlike previous versions, the new variant of Code Red manipulates system settings, alters Windows files, and drops and launches a trojan program resulting in leaving the infected computer open to remote connection and compromise.
Please note that the analysis below is preliminary. Computer Associates anti virus researchers are sill investigating the worm and any updates on the analysis will be published on Computer Associates Web site.
Preliminary results indicate that the worm will only work on Windows 2000 systems running vulnerable version of Microsoft IIS. After infecting a machine the worm copies CMD.EXE to the
\inetpub\scripts
and
\program files\common files\system\msadc on the C: and D: drives of the attacked systems.
The worm will than start scanning the network for other infectable system in order to spread. The attack runs for 24 hours, 48 hours if it is a Chinese language system.
After executing the attack code, the worm drops a file called Explorer.exe into the root directories of the C: and D: drives. The dropped file is 8,192 bytes in size. Next the system is rebooted and the dropped trojan file is executed during the boot process.
The trojan first launches the original Windows Explorer, than disables Windows system file protection that prevents applications from modifying system files by setting
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable=0xFFFFFF9D
The default value for this setting is 0.
After that the trojan creates 2 virtual IIS directories called C and D that are mapped to the root directories of the C: and D: drives by manipulating values of the
HKLM\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots
key.
These virtual directories are created with read, write and execute privileges effectively giving hackers full access to the C: and D: drives of an infected system through IIS.
After that the trojan goes into a loop and will redo the registry changes outlined above every 10 minutes.
The worm itself cannot be detected by anti virus software because it is not file based. Most AV software will catch the dropped trojan when it is written to disk. However if a system has been infected and rebooted before the appropriate signature was installed, it is very hard to determine if a hacker accessed that system after it was compromised and what kind of changes have been done to the system. In this case the only completely safe way to disinfect an infected system is to completely reinstall it."
)
Facebook
Twitter