[Dshield] Let's see how many we still have unpatched.....

Paul Marsh pmarsh at nmefdn.org
Wed Mar 12 17:00:33 GMT 2003

TrendLabs has received a significant number of infection reports on this worm from Japan and Italy. As of 4:59 AM March 12, 2003 (US Pacific Time), Trend has declared a Yellow Alert to control the spread of this malware. 

This worm, similar to the other variants of CodeRed, makes use of a remote buffer overflow vulnerability in Microsoft's Internet Information Server (IIS) that can give system level privileges to an attacker. It drops a backdoor program on an infected Web server, giving an attacker full access to this Web server thereby compromising network security. 

This worm poses no risk to Windows 95, 98, and ME users. Windows NT and 2000 users who do not have Microsoft's IIS Web Server installed are also at no risk. This worm only affects computers running Microsoft IIS that have not been patched with the Microsoft MS01-033 patch. 

The only difference between this variant and the .C variant is that the older variant executes its reboot payload if the year is greater than 2002. This .F variant executes its payload if the year is greater than 34952. 

This worm code only resides in memory, and there are no file counterparts. Because of this, antivirus scanners that do not support memory scanning will not be able to detect the code.

Further analysis is currently being done on this malware.

For more information on CODERED.F please visit our Web site at:

More information about the list mailing list