Whats all the worry about the red worm virus?
Are our websites and servers in trouble?
What can we do and does it effect everyone?

This virus infects Web servers running NT4 and W2K only. It does not infect end user PCs or laptops.

SUMMARY

On 19 July, the Code Red worm infected more than 250,000 systems in various corporations globally in just 9 hours. The worm scans the Internet, identifies vulnerable systems, and infects these systems by installing itself. Each newly installed worm joins all the others causing the rate of scanning to grow rapidly. This uncontrolled growth in scanning directly decreases the speed of the Internet and can cause sporadic but widespread outages among all types of systems.

Sources indicate that Code Red is likely to start spreading again on 31 July 2001 at 8:00 PM EDT and has mutated so that it may be even more dangerous.

All IIS servers that have not applied the Microsoft patch indicated below are vulnerable to this worm.

REQUIRED ACTION

Apply Microsoft patch MS01-033 located at:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-033.asp

Some other info can be found @

http://itn.co.uk/news/20010731/world/01virus.shtml
http://itn.co.uk/news/20010731/business/01worm.shtml
I hope this helps

This virus infects Web servers running NT4 and W2K only. It does not infect end user PCs or laptops.

Just to clarify, because it's important here - according to Microsoft, it can affect a machine if it has Windows NT or Windows 2000, AND IIS. So it CAN infect an end user PC if that PC has IIS installed (if you have it installed for script testing or similar).

As for if your web site is in trouble, it's not a virus, so it won't destroy anything. But it is a rather potent worm that is expected to be clogging up web traffic.

But please, don't believe me, because that's just what I've read and heard. Have a look at those links that sysweb posted.

Can you install IIS on win98 or ME? I thoght you could not but i maybe wrong this may be why every thing says NT and 2000 not sure..

The worm sends its code as an HTTP request. The HTTP request exploits a known buffer-overflow vulnerability, which allows the worm to run on your computer. The malicious code is not saved as a file, but is inserted into and then run directly from memory.

Once run, the worm checks for the file C:\Notworm. If this file exists, the worm does not run and the thread goes into an infinite sleep state.

If the file C:\Notworm does not exist, then new threads are created. If the date is before the 20th of the month, the next 99 threads attempt to exploit more computers by targeting random IP addresses. To avoid looping back to infect the source computer, the worm will not make HTTP requests to the IP addresses 127.*.*.* .

If the default language of the computer is U.S. English, further threads cause Web pages to appear defaced. First, the thread sleeps two hours and then hooks a function, which responds to HTTP requests. Instead of returning the correct Web page, the worm returns its own HTML code.

The HTML displays:

Welcome to http:// www.worm.com !
Hacked By Chinese!

This hook lasts for 10 hours and is then removed. However, reinfection or other threads can rehook the function.

Two versions of this worm have been seen in the wild. The second version does not cause the webpages to be defaced.

Also, if the date is between the 20th and 28th of the month, the active threads then attempt a Denial of Service attack on a particular IP address by sending large amounts of junk data to port 80 (Web service) of 198.137.240.91, which was www.whitehouse.gov. This IP address has been changed and is no longer active.

Finally, if the date is later than the 28th of the month, the worm's threads are not run, but are directed into an infinite sleep state. This multiple-thread creation can cause computer instability.


Im sure every web host is prepared for this...................