CodeRed is a computer worm that exploits a known vulnerability (buffer overflow) in Microsoft's Index Server 2.0. If the system administrator has not deployed the patch, which has been available since June 18, the system will be vulnerable to the CodeRed worm and its attack that includes the following payloads:
. Defaces Web sites if the system's default language is in U.S. English, displaying the following message: "Welcome to
http://www.worm.com
! Hacked by Chinese!"
. Between the 20th and 28th of each month - the worm attempts a denial-of service attack on an IP address used by a Government Web site (www.whitehouse.gov) by sending large amounts of junk data.
. Before the 20th of the month - the worm attempts to infect as many systems as possible by targeting random IP addresses. CodeRed is not saved as a file, but injected and executed directly from memory. Patching the security hole in the system and rebooting will remove the worm and prevent further infection.
Worm Removal: To remove the worm, obtain and apply the patch located at http://www.microsoft.com/technet/security/bulletin/MS01-033.asp and restart the system.
Symantec is the only Internet security solutions provider to offer a comprehensive protection against the CodeRed attack are:
Enterprise Security Manager -Symantec's policy compliance and vulnerability management system, helps manage security patch update functions. Two new patch templates are available that detect the underlying vulnerability on Windows NT 4.0 and Windows 2000 servers.
NetProwler - Symantec's network-based intrusion detection tool, with Security Update 8 installed, is capable of detecting attempts to attack IIS 4.0 and 5.0 servers through this vulnerability.
Intruder Alert - Symantec's host-based intrusion detection tool, with Security Update 8 installed, is capable of detecting attempts to attack IIS 4.0 and 5.0 servers through this vulnerability.
NetRecon - Symantec's network vulnerability assessment tool will be updated to detect if this vulnerability exists on a system and if so will provide recommendations on how to fix it.
Raptor Firewall - Symantec's enterprise firewall can be configured to block suspect outbound data traffic from the IIS server. Free "FixCodeR" Assessment Tool - For users who do not have any of the above products, this special tool, available from www.symantec.com/avcenter, detects the presence of the worm on an NT system. Symantec Web Security - This service, www.symantec.com/securitycheck, has been updated to scan if a system is vulnerable to this exploit.
Share
Symantec, a world leader in Internet security technology, provides a broad range of content and network security solutions to individuals and enterprises. The company is a leading provider of virus protection, vulnerability assessment, intrusion prevention, Internet content and e-mail filtering, remote management technologies and security services to enterprises around the world. Symantec's Norton brand of consumer security products leads the market in worldwide retail sales and industry awards. Headquartered in Cupertino, Calif., Symantec has worldwide operations in 36 countries.