Virus Profile: W32/CodeRed.c.worm

Virus Characteristics

AVERT is raising awareness of this worm with a Risk Assessment on this exploit as SPECIAL. We are doing so as our focus is on providing security support to our customers and the computing public at large.

This threat only affects Microsoft Windows 2000 running web servers. Although WinNT is vulnerable to this exploit, the worm crashes on WinNT.

Your environment is at HIGH RISK if:

1) You have Microsoft IIS server installed with Windows 2000.

2) You have NOT updated this server with the latest patch from Microsoft.

The exploit, a buffer overflow, is used to spread this worm (Unchecked Buffer in Index Server ISAPI Extension Could Enable Web Server Compromise).

THIS VIRUS EXISTS IN MEMORY ONLY (however, the .C variant does write a trojan program to the hard disk). As such, the trojan can be detected with the latests DATs and engine, but the virus can not (see the removal instructions on how to remove the virus and trojan).

The virus spreads through TCP/IP transmissions on port 80. By making use of this exploit, the worm is able to send itself as a TCP/IP stream directly to the its victims, which in turn scans the web for other systems to infect.

This is a rewrite of the W32/CodeRed.a.worm This variant does not deface web pages or contain a DDoS payload. It uses the atom "CodeRedII" for self-recognition and thus does not reinfect already infected systems.

It checks whether Chinese (either Traditional or Simplified) is the language installed on the system. If it is Chinese, it creates 600 threads and spreads for 48hours. On a non-Chinese system it creates 300 threads and spreads for 24 hours. After that, it reboots the system. On 12am Oct 1, 2001 GMT it reboots the computer, thus clearing the worm portion from memory. However, since not all clocks are set correctly, the computer will almost immediately get reinfected and reboot the computer again and again and again. The worm tends to probe nearby systems with probability 50% (4/8) - same Class A net (255.0.0.0) 37.5% (3/8) - same Class B subnet (255.255.0.0) 12.5% (1/8) - random

It tries to copy %windir%\CMD.EXE to the following files:
c:\inetpub\scripts\root.exe
c:\progra~1\common~1\system\MSADC\root.exe
d:\inetpub\scripts\root.exe
d:\progra~1\common~1\system\MSADC\root.exe.

It also tries to create a backdoor trojan (detected as W32/CodeRed.c trojan with the 4152 DATs) which it saves to c:\explorer.exe and d:\explorer.exe. This exploits the "Relative Shell Path" Vulnerability, which states that Windows will run c:\explorer.exe before %windir%\explorer.exe. So, the trojan can be run where EXPLORER.EXE is called. The trojan does nothing more than write certain values to the registry every 10 minutes. It is these registry values that opens a security hole in your system.

On the next reboot, the trojan carries out its payload and then calls the original explorer.exe. The trojan adds a value to the following registry key, to disable local file system security:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Winlogon\SFCDisable

Two values are added to the following key to enable a remote attacker to have access to the C: and D: drives, via a web browser:

HKLM\SYSTEM\CurrentControlSet\Services\
W3SVC\Parameters\Virtual Roots.

Also under this key, the /SCRIPT and /MSADC values are configured to allow read/write access to the paths associated with these values.

These changes allow a remote attacker to carry out shell function on the local system by sending commands to it via a URL.