A mutant version of the infamous CodeRed II worm has emerged in the wild, security experts have warned.
The minor variant of the original CodeRed.F differs in only two bytes of code from the original CodeRed II.
CodeRed.F preys on vulnerable Microsoft IIS 4.0 and 5.0 web servers
vnunet.com, 13 Mar 2003
A mutant version of the infamous CodeRed II worm has emerged in the wild, security experts have warned.
The minor variant of the original CodeRed.F differs in only two bytes of code from the original CodeRed II.
According to antivirus firm Symantec the functional and payload elements of the mutant are substantially the same as its predecessor.
CodeRed.F scans IP addresses for vulnerable Microsoft IIS 4.0 and 5.0 web servers and uses a buffer overflow vulnerability to infect the computers.
The worm then injects itself directly into memory, rather than copying itself as a file on the system.
In addition, CodeRed.F creates a file called Trojan.VirtualRoot which gives the hacker full remote access to the web server.
In order to protect against the worm, Symantec recommends taking the following action:
Users running Microsoft IIS Server should apply the latest Microsoft patch here.
A cumulative patch for IIS, including the four patches released to date, is available here.
In addition, the worm's Trojan.VirtualRoot payload takes advantage of a vulnerability in Windows 2000.
A Microsoft security patch to address this problem and stop the Trojan from re-infecting can be downloaded here.
Companies form partnership to produce high-end intrusion detection device
In the aftermath of the Code Red outbreak, experts suggested that the hysteria surrounding the worm may have been at least partly responsible for its failure to bring the internet to its knees. Although some reports were labelled as scaremongering, they may have prompted administrators to harden their servers against attack and ultimately stemmed the spread of the worm. But now a second variant of Code Red has appeared, it remains to be seen if the large number of still unpatched servers out there will help the worm spread further yet.
New variant of Code Red worm is more dangerous than its parent.

In part one of V3.co.uk's interview with Dirk Singer, he dicusses social media monitoring strategies

Remote access - Three steps to getting connected
3.4 million UK professionals now work from home – is your company equipped?

Cost benefits of a global collaboration network
This white paper is a must read for organisations looking for evidence of the bottom-line benefits of high-definition video and voice communications
Keep up to date with the latest products, services and technologies from the world's leading IT companies; IThound.com brings you over 6,000 white papers, case studies and analyst reports.

Join our live chat session on Thursday at 11am to...

Researchers from security firm FireEye have been able to effectively...
Do you agree?
Have your say on this article