'Code Red' worm exploits Windows NT flaw

A malicious worm, named Code Red, that exploits a buffer overflow vulnerability in certain configurations of Microsoft Corp.'s Windows NT and Windows 2000 operating systems is spreading rapidly over the Internet, according to the CERT Coordination Center (CERT/CC). As many as 225,000 computers have already been affected, the organization said.

Code Red exploits a buffer overflow in the Microsoft Internet Information Server (IIS) Indexing Service DLL (Dynamic Link Library), CERT/CC said. The vulnerability is present in most versions of IIS 4.0 and IIS 5.0, it said.

According to an announcement issued on June 19 that described the vulnerability, this buffer overflow allows an attacker to gain complete control of a targeted system.

If an affected host's default language is English, Code Red will deface all Web pages served by the victim host with the message "HELLO! Welcome to http://www.worm.com! Hacked By Chinese!" In addition to Web defacement, the worm causes a degradation in overall system performance as it scans other hosts in a bid to propagate itself, CERT/CC said.

The worm does not affect hosts with a default language other than English, CERT/CC said.

Code Red can also initiate "severe denial of service" attacks as it scans non-compromised systems and networks for the IIS Indexing Service DLL buffer overflow vulnerability, CERT/CC said.

More information on the IIS Indexing Service DLL and patches that close the vulnerability are available on Microsoft's Web site at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-033.asp.

Join the newsletter!

Error: Please check your email address.

More about CERT AustraliaMicrosoft

Show Comments