A worm bearing strong similarities to the sadmind virus, which hit over 9000 IIS websites back in May, has been doing the rounds, exploiting a vulnerability which is over a month old.
The worm exploits a known buffer overflow vulnerability - an ISAPI extension in the Index Server of Windows 2000 and XP beta - for which Microsoft released a patch in June that it believed had fixed the problem.
However, EEye Digital Security claims to have discovered the new variant which it calls 'Code Red' because "part of the worm is designed to deface web pages with the text 'Hacked by Chinese'".
Once the worm infects an IIS machine it produces 100 new threads, or copies of itself, which scan the internet looking for more IIS machines with the same vulnerability that it can then infect and turn into more agents. It is a trait shared by the sadmind worm.
Code Red also defaces the host website with the message: "Hello! Welcome to http://www.worm.com! Hacked by Chinese!".
EEye claims that one infected host received connection attempts from over five thousand IIS 5 web servers trying to exploit the vulnerability, indicating that thousands of web servers could be infected.
The Microsoft patch for the vulnerability is available here.
Claims to have "the most competitive logic density" in the industry
Dell's high-end mobile workstations upgraded with Intel Coffee Lake CPUs
Webstresser admins were also arrested in the UK, Croatia, Canada and Serbia
Security firm claims that 117,638 sites out of 135,035 analysed contain serious security flaws