Code Red II Worm

The "Code Red II" worm exploits the same "buffer overflow" vulnerability identified in the previous "Code Red" Worm. Microsoft has published information and patch on this vulnerability in Microsoft Internet Information Server (IIS).

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-033.asp

When a web server become infected, the worm checks the default language of the system. If the language is Chinese (either Traditional or Simplified), it creates 600 new threads and sleeps for 48 hours, otherwise 300 and sleeps for 24 hours. These threads generate random IP addresses used to search for new web server to infect. When the original thread wake up from its sleep, it will cause the system to be rebooted. In addition, all threads check if the date is October or if it is 2002. If so, the system is rebooted.

The worm also creates a backdoor Trojan. It tries to copy %windir%\CMD.EXE to the following files:

• c:\inetpub\scripts\root.exe
• c:\progra~1\common~1\system\MSADC\root.exe
• d:\inetpub\scripts\root.exe
• d:\progra~1\common~1\system\MSADC\root.exe.

It will allow a remote attacker to take full control of the web server by sending an HTTP GET request to run scripts/root.exe (default execution-enabled directory of the IIS web server) on the infected web server.

The worm create a Trojan horse copy of explorer.exe and copies it to C:\ and D:\. The Trojan horse explorer.exe call the real explorer.exe to masks its existence, and create a virtual mapping which exposes the C:\ and D:\ drives. This exploits the "Relative Shell Path" Vulnerability, it will run every time a user logs in. This payload have persistence even after a reboot of the compromised system.

Impact

Intruders can execute arbitrary commands within the LocalSystem security context on Windows 2000 systems infected with the "Code Red II" worm. Compromised systems may be subject to files being altered or destroyed. Denial-of-service conditions may be created for services relying on altered or destroyed files. Hosts that have been compromised are also at high risk for being party to attacks on other Internet sites.

The widespread, automated attack and propagation characteristics of the "Code Red II" may cause bandwidth denial-of-service conditions in isolated portions of the network, particularly near groups of compromised hosts where "Code Red II" is running.

Windows NT 4.0 systems and Cisco 600-series DSL routers may experience denial-of-service as a result of the scanning activity of the worm.

• Microsoft Windows NT 4.0 with IIS 4.0 or IIS 5.0 enabled and Index Server 2.0 installed
• Microsoft Windows 2000 with IIS 5.0 enabled and Indexing services installed
• Cisco CallManager, Unity Server, uOne, ICS7750, Building Broadband Service Manager, IP/VC 3540 Application Server (these systems run IIS)
• Cisco 600 series DSL routers

Solutions

According to Security Focus, the steps to be taken in recovering from Code Red II are:

1. Download Microsoft's patch for your IIS Web server using this link
   http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-033.asp
2. Disconnect your Internet connection to avoid infection
3. Remove Trojan versions of C:\explorer.exe and D:\explorer.exe if they exist
4. Reboot your system to clear worm from memory
5. Apply the patch to prevent re-infection
6. Remove Trojan versions of C:\explorer.exe and D:\explorer.exe if they exist
7. Reboot before attempting to change registry values
8. Remove any copies of root.exe from C:\inetpub\scripts\root.exe and D:\inetpub\scripts\root.exe
9. Reset registry values for
   SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable
   to enable system file protection to zero to enable system file protection
10. Code Red II sets registry values for remote Web access. If you have a default installation you do not require these keys and they may be removed or set to zero. If you use these keys you will need to reset them to your own values:
    • SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\Scripts
    • SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\msadc
    • SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\c
    • SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\d
11. Reboot your system
12. Reconnect to the Internet

There is a tool created by eEye that is able to scan up to 254 IP addresses at once and determine if any are vulnerable to the .ida "Code Red" attack.

Download the eEye Retina CodeRed Scanner here:
http://www.eeye.com/html/Research/Tools/RetinaCodeRed.exe

Before installation of the software, please visit the software manufacturer web-site for more details.

Related Links

• http://aris.securityfocus.com/alerts/codered2/
• http://www.cert.org/incident_notes/IN-2001-09.html
• http://www.cisco.com/warp/public/707/cisco-code-red-worm-pub.shtml
• http://vil.mcafee.com/dispVirus.asp?virus_k=99177&
• http://www.symantec.com/avcenter/venc/data/pf/codered.v3.html
• http://www.antivirus.com/pc-cillin/vinfo/virusencyclo/default5.asp?VName=CODERED.C
• http://www.hongkongcert.org/salert/english/s010719_worm_codered.html
• http://www.hongkongcert.org/salert/english/s010726_codered_secondwarn.html

Source

• CERT/CC
• Cisco System Inc.
• Mcafee
• SecurityFocus
• Symantec