August 6, 2001, updated 8/7/01

Just when we thought the worst was over, a new Code Red worm was discovered on August 4, 2001. The self-named Code Red II worm carries a dangerous payload and is capable of spreading faster than its predecessor. Instead of spawning only 100 scans of the Internet, Code Red II (w32.CodeRed.C) scans between 300 and 600 sites with each infection. And instead of defacing infected systems' Web sites, Code Red II drops a "virtual root" backdoor Trojan onto the infected system, allowing malicious users remote access to the infected system. Code Red II can be identified in Web server logs by the use of "XXXXXX" as filler characters as opposed to the original "NNNNN." According to eEye Digital Security, Code Red II will only run on Windows 2000 machines; Windows NT machines will simply crash upon infection. Windows 95, 98, and Me users are not affected.

How it works
Code Red II, self-named by a string of text written into the code, checks to see if the language on the machine is Chinese (traditional or simplified). If so, then it launches 600 threads that scan the Internet for other vulnerable systems for 48 hours. On a non-Chinese system, it creates only 300 threads which scan for only 24 hours. After scanning, Code Red II reboots the infected computer. If the date is October 1, 2001 or sometime after that date, the system will automatically reboot to remove Code Red II from memory.

Like the original worm, Code Red II chooses random IP addresses, however it uses a mask that limits its IP possibilities to those in the infected computer's own address neighborhood. The scanning threads use a non-blocking socket, so that if one thread is waiting to connect to a slow connection, the other threads will not be stopped from scanning the Internet. Once contact is established, if the system is open to the buffer overflow .ida vulnerability in IIS 4.0 and 5.0, Code Red II sends the entire worm to the new system, and then immediately starts scanning for another vulnerable systems. Code Red II will not re-infect machines currently infected with the original Code Red worm.

Most significant is the fact that Code Red II carries its own Trojan-infected version of C:\explorer.exe and D:\explorer.exe. Code Red II exploits the Relative Path vulnerability which allows for explorer.exe in the root to be executed before the explorer.exe in the Windows subdirectory. When a user next logs onto the infected system, Code Red II installs its Trojan. The Trojan then executes the real explorer.exe file, and begins to make changes to the system, including disabling the Windows File Protection (WFP). WFP prevents the replacement of certain system files. The Trojan will attempt to publish the contents of the C: and D: directories as Web pages on the server. The Trojan also makes changes to the registry settings, setting the scripts and msadc directories to allow a remote user to have full access.

Even though the Code Red II worm itself does not write itself to memory and can be cleared from an infected system by rebooting, the changes made to the registry by the Trojan remains on your computer whether or not the worm is still active on the system.

Removal
The Code Red II worm can be removed by rebooting an infected system, however that solution does not guard against re-infection at a later time, nor does it remove the Trojan. The best offense is defense. If users haven't already, they should install the previously posted Microsoft .ida vulernability patch for the following systems: Windows NT version 4.0 and Windows 2000 Professional, Server and Advanced Server. In addition, Symantec has a free tool to scan your system for signs of infection.

Additional information regarding the patch can be found on Microsoft's Web site. Also, Digital Island has detailed step-by-step instructions for installing the patches and safeguarding your system.

Tools to remove the Trojan associated with Code Red II are available from Command Central, McAfee, and Sophos.

For information about the original Code Red worm, see Code Red: Round two.