Code Red: “I’ll Be Back!”

Computer security organizations, ranging from the Federal Bureau of
Investigation’s National Infrastructure Protection Center (NIPC) to the
Computer Emergency Response Team Coordination Center (CERT/CC), said Sunday
they fear a relaunch of the Code
worm which attacked servers around the world on July 19.

The FBI has scheduled a Monday press conference at 3 pm ET in Washington to discuss the matter further.

Read More About Network Security

CIN members, click here to read CIN reporter Eva Marer’s recent story,”Companies Confront Rising Network Security Threats,” and find an accompanying list of links to the Web sites of organizations and government agencies that follow network security issues.

Also, read Meta Group Report: Are Managed Security Services Ready for Prime Time?

Code Red attacks servers running Microsoft’s IIS 4.0 and 5.0 Web server
software. It propagates rapidly — it infected 250,000 systems in nine hours
on July 19 — by spawning 100 threads that scan the Internet for vulnerable
servers and installing itself on those systems. As the worm multiplies and
the scanning escalates, the worm causes massive latency across the Internet.

It also checks for the existence of the file c:notworm, which it leaves
behind in an infected system. If it finds the file, Code Red goes dormant.

It then checks whether the Web site the server is running is in English. If
so, it defaces the page with the message: “Hello! Welcome to
! Hacked By Chinese!”

The worm entered another stage at 8 p.m. EDT on July 20, when it stopped
propagating and every worm in existence sent 100 connections to port 80 of
the page.

The security organizations believe it is likely to begin spreading again on

“Code Red is likely to start spreading again on July 31st, 2001 8 p.m. EDT
and has mutated so that it may be even more dangerous,” the groups, which
include Microsoft, the NIPC, the Federal Computer Incident Response Center, Information
Technology Association of America, CERT/CC, SANS Institute, Internet
Security Systems and Internet Security Alliance, warned in a jointly
published alert. “This spread has the potential to disrupt business and
personal use of the Internet for applications such as electronic commerce,
e-mail and entertainment.”

The worm only affects Windows NT or Windows 2000 systems running the IIS Web
server software. Windows 95, Windows 98 and Windows Me are not affected.

Microsoft last month published a patch which will protect vulnerable
systems. The patch for Windows NT 4.0 is available here, and the patch for Windows 2000 Professional, Server and Advanced Server
is available here.

Editor’s note: Thor Olavsrud is a reporter for, an site.