Virus Advisory - Code Red Worm 8/16/01 3:13pm

Use this tool from Microsoft to remove Code Red:
Code Red Removal Tool

Updated - A Code Red Worm variant, W32/CodeRed.c has been reported by NAI to be "in the wild". Minimum Dat and Scan Engine to detect and clean the backdoor installed by this new worm is Dat 4156 and Scan Engine 4.1.40. Applying the security patch for the original Code Red worm provides protection against W32/CodeRed.c, which uses the same exploit as the original.

This worm affects Servers and Desktops running Microsoft IIS (Windows NT4, Windows 2000 and beta XP). The worm takes advantage of a known buffer overflow security flaw in IIS. The infected host displays the web page:

Welcome to http://www.worm.com !

Hacked By Chinese!

The worm also scans for other machines to infect. It exists only in memory, and does not write files to the hard drive of the infected host. Consequently, rebooting the infected host will remove the worm. The host will remain vulnerable until it is patched! Because the worm does not write to the hard drive, current desktop and server antivirus products will not provide protection from this worm. The only reliable protection is to patch all vulnerable systems.
The Microsoft security patchs for IIS 4.0 and IIS 5.0 are available at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms01-044.asp

For more Information see:

• From Microsoft: http://www.microsoft.com/technet/security/bulletin/MS01-044.mspx
• From Microsoft: http://www.microsoft.com/technet/security/bulletin/MS01-033.mspx
• From NAI: http://vil.nai.com/vil/content/v_99142.htm
• From CERT/CC: http://www.cert.org/advisories/CA-2001-19.html

This archive is not intended to be comprehensive. For a more complete virus library, please visit NAI's Virus Information Library at http://vil.nai.com.