CODERED.F - Description and solution

TrendLabs Malware Blog

Glossary

TrendWatch

TrendLabs Twitter

CODERED.F

Overview

Solution

Technical Details

Malware type: Worm

Aliases: W32/CodeRed.f.worm, CodeRed.F, Win32.CodeRed.F

In the wild: Yes

Destructive: No

Language: English

Platform: Windows NT and 2000 with IIS

Encrypted: No

Overall risk rating:

Reported infections:
Damage potential:		High
Distribution potential:		High

Description:

This worm, similar to the other variants of CodeRed, makes use of a remote-buffer overflow vulnerability in Microsoft's Internet Information Server (IIS) that can give system level privileges to an attacker. It drops a backdoor program on an infected Web server, giving an attacker full access to this Web server, thereby compromising network security. Trend Micro antivirus detects the backdoor program as TROJ_CODERED.C.

The only difference between this variant and CODERED.C is the trigger date when it restarts the system. The .C variant restarts the system if the year is greater than 2002. This .F variant, on the other hand, executes the same routine if the year is greater than or equal to 34952.

Refer to the description on CODERED.C for more details on this malware.

Affected systems

This worm exploits several IIS vulnerabilities. According to Microsoft, the following systems are affected:

Microsoft Index Server 2.0
Indexing Service in Windows 2000
Microsoft Internet Information Server 4.0

Any IIS 4.0 server that does URL redirection is affected by a vulnerability exploited by this worm, which can only be exploited if IIS is running. The code within IIS 4.0 that performs URL redirection does not properly handle a request�s actual length. Such a request triggers an access violation, resulting in the failure of the service.

Default installations of Windows NT 4.0 and Windows 2000 Professional do not install the IIS package. As such, these platforms are typically non-vulnerable, unless configured to run IIS. However, default installations of Windows 2000 server and Windows XP Release Candidate 1 do install the IIS package, making them vulnerable.

Windows 2000 Service Pack 3 includes all patches for vulnerabilities exploited by this worm.

To test for vulnerability to CODERED.F, download our free detection tool. It is recommended that you go through the Readme file first.

For additional information about this threat, see:
Solution
Technical Details

Description created: Mar. 12, 2003 1:13:51 AM GMT -0800
Description updated: Mar. 12, 2003 6:13:51 AM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.