- May 31, 2001
- 10,027
- 1
- 81
W32/CodeRed.worm from Macafee web site
http://vil.mcafee.com/dispVirus.asp?virus_k=99142
UPDATE July 30, 2001:
Users may see reissued alerts by other security organizations as well as additional media coverage of this threat over the next 24-48 hours. AVERT reiterates that this threat does not generally affect an end-user's PC, but rather it attacks unpatched administrator's Microsoft IIS web servers. However, all Internet users can feel the effects of this worm, such as requested web pages being defaced or unavailable, due to the actions of this worm.
UPDATE July 19, 2001:
AVERT is raising awareness of this worm with a Risk Assessment on this exploit as SPECIAL. We are doing so as our focus is on providing security support to our customers and the computing public at large.
This threat only affects Microsoft XP/2000/NT running web servers
Your environment is at HIGH RISK if:
1) You have Microsoft Index Server 2.0, or Indexing Service installed with Windows 2000/XP.
2) You have NOT updated these components with the latest patch from Microsoft.
The exploit, a buffer overflow, is used to spread this worm (Unchecked Buffer in Index Server ISAPI Extension Could Enable Web Server Compromise).
IT EXISTS IN MEMORY ONLY AND NO WRITTEN FILE EVER EXISTS ON THE HARD DISK.
It spreads through TCP/IP transmissions on port 80. By making use of this exploit, the worm is able to send itself as a TCP/IP stream directly to the its victims, which in turn scans the web for other systems to infect. Once infected, this viral code checks for the existence of C:\notworm. If the file C:\notworm is present the worm stops seeking other machines to infect.
Affected English language web servers have their web pages defaced with: <html><head><meta http-equiv="Content-Type" content="text/html; charset=English"><title>HELLO!</title></head><bady><hr size=5><font color="red"><p align="center">Welcome to http://www.worm.com !<br><br>Hacked By Chinese!</font></hr></bady></html>
All I can say to this is HAHAHAHHAHANBHAHAHAHHABAHAHAHAHAHAHA
I just had to get that out. It just keeps amazing me how
people just keep running Windows based servers when a bunch
of headaches would be cured by running linux operated servers.
Now that I've had my daily laugh...on to other things.
http://vil.mcafee.com/dispVirus.asp?virus_k=99142
UPDATE July 30, 2001:
Users may see reissued alerts by other security organizations as well as additional media coverage of this threat over the next 24-48 hours. AVERT reiterates that this threat does not generally affect an end-user's PC, but rather it attacks unpatched administrator's Microsoft IIS web servers. However, all Internet users can feel the effects of this worm, such as requested web pages being defaced or unavailable, due to the actions of this worm.
UPDATE July 19, 2001:
AVERT is raising awareness of this worm with a Risk Assessment on this exploit as SPECIAL. We are doing so as our focus is on providing security support to our customers and the computing public at large.
This threat only affects Microsoft XP/2000/NT running web servers
Your environment is at HIGH RISK if:
1) You have Microsoft Index Server 2.0, or Indexing Service installed with Windows 2000/XP.
2) You have NOT updated these components with the latest patch from Microsoft.
The exploit, a buffer overflow, is used to spread this worm (Unchecked Buffer in Index Server ISAPI Extension Could Enable Web Server Compromise).
IT EXISTS IN MEMORY ONLY AND NO WRITTEN FILE EVER EXISTS ON THE HARD DISK.
It spreads through TCP/IP transmissions on port 80. By making use of this exploit, the worm is able to send itself as a TCP/IP stream directly to the its victims, which in turn scans the web for other systems to infect. Once infected, this viral code checks for the existence of C:\notworm. If the file C:\notworm is present the worm stops seeking other machines to infect.
Affected English language web servers have their web pages defaced with: <html><head><meta http-equiv="Content-Type" content="text/html; charset=English"><title>HELLO!</title></head><bady><hr size=5><font color="red"><p align="center">Welcome to http://www.worm.com !<br><br>Hacked By Chinese!</font></hr></bady></html>
All I can say to this is HAHAHAHHAHANBHAHAHAHHABAHAHAHAHAHAHA
I just had to get that out. It just keeps amazing me how
people just keep running Windows based servers when a bunch
of headaches would be cured by running linux operated servers.
Now that I've had my daily laugh...on to other things.