Code Red II (computer worm)
Encyclopedia
Code Red II is a computer worm
similar to the Code Red worm. Released two weeks after Code Red on August 4, 2001, although similar in behavior to the original, analysis showed it to be a new worm instead of a variant. The worm was designed to exploit a security hole in the indexing software included as part of Microsoft's Internet Information Server (IIS) web server software.
A typical signature of the Code Red II worm would appear in a web server log as:
Where the original worm tried to infect other computers at random, Code Red II tried to infect machines on the same subnet as the infected machine.
Microsoft had already released a security patch for IIS that fixed the security hole on June 18, 2001, however not everyone had patched their servers, including Microsoft themselves.
eEye believed that the worm originated in Makati City
, Philippines
(the same origin as the VBS/Loveletter (aka "ILOVEYOU") worm).
Computer worm
A computer worm is a self-replicating malware computer program, which uses a computer network to send copies of itself to other nodes and it may do so without any user intervention. This is due to security shortcomings on the target computer. Unlike a computer virus, it does not need to attach...
similar to the Code Red worm. Released two weeks after Code Red on August 4, 2001, although similar in behavior to the original, analysis showed it to be a new worm instead of a variant. The worm was designed to exploit a security hole in the indexing software included as part of Microsoft's Internet Information Server (IIS) web server software.
A typical signature of the Code Red II worm would appear in a web server log as:
- GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
- XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
- XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
- XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
- XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
- %u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801
- %u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3
- %u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0
Where the original worm tried to infect other computers at random, Code Red II tried to infect machines on the same subnet as the infected machine.
Microsoft had already released a security patch for IIS that fixed the security hole on June 18, 2001, however not everyone had patched their servers, including Microsoft themselves.
eEye believed that the worm originated in Makati City
Makati City
The City of Makati is one of the 17 cities that make up Metro Manila, one of the most populous metropolitan areas in the world. Makati is the financial center of the Philippines and one of the major financial, commercial and economic hubs in Asia...
, Philippines
Philippines
The Philippines , officially known as the Republic of the Philippines , is a country in Southeast Asia in the western Pacific Ocean. To its north across the Luzon Strait lies Taiwan. West across the South China Sea sits Vietnam...
(the same origin as the VBS/Loveletter (aka "ILOVEYOU") worm).
External links
- Original Analysis of Code Red II - analysis by Steve Friedl
- ANALYSIS: CodeRed II Worm - analysis by eEye Digital Security