[unisog] Ida /code red worm veriation
WilliamsRB at mail.vmi.edu
Fri Jul 20 18:06:36 GMT 2001
We had one IIS server affected, and in the same way you describe. It is a
DEC Alpha processor based unit. Microsoft stopped supporting Alphas a few
patch releases ago, so that machine got bitten.
Our NT expert eliminated the worm on the Alpha box by unmapping the IIS
Applications Mapping for .idq and .ida index files. In W2K, from Internet
Services Manager, you highlight the server name in the Tree box, right click
properties, under Internet Information Services you Edit Master Properties
for WWW service, then under Home Directory you click Configuration, then you
remove Extensions .ida and .idq from the Application Mappings. Win NT 4 is
more clumsy, but follows the same basic logic. Reboot when done.
Doing this kills your web applications that need idq.dll, but if there's
some trouble installing or obtaining the MS patch, at least you can get your
server running again sans red worm in a "dumbed down" configuration.
UNIX/Network Security Administrator
Virginia Military Institute
427 Nichols Engineering Annex
Lexington, VA 24450
williamsrb at vmi.edu
From: Jay D. Flanagan [mailto:jflanag at emory.edu]
Sent: Friday, July 20, 2001 10:57 AM
To: unisog at sans.org
Subject: [unisog] Ida /code red worm veriation
As others have, several of our IIS servers have been hit with what we think
is a variation of the ida /code red worm.
Some of the characteristics we are seeing are our web servers stopping and
starting multiple times and no physical traces were found.
Some differences between the attack on our web servers and the code red worm
include that our web servers were brought down and the default web page was
Has anyone seem similar situations with their web servers and if so, what
actions did you take to correct the problem? We have installed the Microsoft
patch, but it seems to not have stopped any of our problems.
Thanks in advance for any help you can give us!
Jay D. Flanagan
Email: jflanag at emory.edu
More information about the unisog