[unisog] Ida /code red worm veriation

Williams, Bob WilliamsRB at mail.vmi.edu
Fri Jul 20 18:06:36 GMT 2001


We had one IIS server affected, and in the same way you describe.  It is a
DEC Alpha processor based unit.  Microsoft stopped supporting Alphas a few
patch releases ago, so that machine got bitten.

Our NT expert eliminated the worm on the Alpha box by unmapping the IIS
Applications Mapping for .idq and .ida index files.  In W2K, from Internet
Services Manager, you highlight the server name in the Tree box, right click
properties, under Internet Information Services you Edit Master Properties
for WWW service, then under Home Directory you click Configuration, then you
remove Extensions .ida and .idq from the Application Mappings.  Win NT 4 is
more clumsy, but follows the same basic logic.  Reboot when done.

Doing this kills your web applications that need idq.dll, but if there's
some trouble installing or obtaining the MS patch, at least you can get your
server running again sans red worm in a "dumbed down" configuration.

Bob Williams
UNIX/Network Security Administrator
Virginia Military Institute
Information Technology
427 Nichols Engineering Annex
Lexington, VA 24450

williamsrb at vmi.edu

-----Original Message-----
From: Jay D. Flanagan [mailto:jflanag at emory.edu]
Sent: Friday, July 20, 2001 10:57 AM
To: unisog at sans.org
Subject: [unisog] Ida /code red worm veriation

As others have, several of our IIS servers have been hit with what we think
is a variation of the ida /code red worm. 

Some of the characteristics we are seeing are our web servers stopping and
starting multiple times and no physical traces were found.

Some differences between the attack on our web servers and the code red worm
include that our web servers were brought down and the default web page was
not defaced. 

Has anyone seem similar situations with their web servers and if so, what
actions did you take to correct the problem? We have installed the Microsoft
patch, but it seems to not have stopped any of our problems.

Thanks in advance for any help you can give us!

Jay D. Flanagan
Security Administrator 
Emory University
Email: jflanag at emory.edu
Phone: 404-727-4962
Fax: 404-727-0817

More information about the unisog mailing list