IIS virus triggers Red alert

A worm bearing strong similarities to the sadmind virus, which hit over 9000 IIS websites back in May, has been doing the rounds, exploiting a vulnerability which is over a month old.

The worm exploits a known buffer overflow vulnerability - an ISAPI extension in the Index Server of Windows 2000 and XP beta - for which Microsoft released a patch in June that it believed had fixed the problem.

However, EEye Digital Security claims to have discovered the new variant which it calls 'Code Red' because "part of the worm is designed to deface web pages with the text 'Hacked by Chinese'".

Once the worm infects an IIS machine it produces 100 new threads, or copies of itself, which scan the internet looking for more IIS machines with the same vulnerability that it can then infect and turn into more agents. It is a trait shared by the sadmind worm.

Code Red also defaces the host website with the message: "Hello! Welcome to http://www.worm.com! Hacked by Chinese!".

EEye claims that one infected host received connection attempts from over five thousand IIS 5 web servers trying to exploit the vulnerability, indicating that thousands of web servers could be infected.

The Microsoft patch for the vulnerability is available here.