Virus Profile: W32/CodeRed.c.worm

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home N/A | Corporate N/A
Date Discovered: 8/4/2001
Date Added: 8/5/2001
Origin: Unknown
Length: 0
Type: Virus
Subtype: Internet Worm
DAT Required: 4152
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

Presence of the files:

c:\inetpub\scripts\root.exe
c:\progra~1\common~1\system\MSADC\root.exe
d:\inetpub\scripts\root.exe
d:\progra~1\common~1\system\MSADC\root.exe.

Methods of Infection

This worm makes uses of a Microsoft Index Server buffer overflow exploit to execute itself in memory.

Aliases

CodeRed.v3 (NAV), Trojan.VirtualRoot (NAV), W32/CodeRed.c, W32/CodeRed.gen.worm
   

Virus Characteristics

-- Update March 11, 2003 --
A new variant (W32/CodeRed.f.worm) was discovered in the wild. This variant is nearly identical to the .c variant.

AVERT is raising awareness of this worm with a Risk Assessment on this exploit as SPECIAL. We are doing so as our focus is on providing security support to our customers and the computing public at large.

This threat only affects Microsoft Windows 2000 running web servers. Although WinNT is vulnerable to this exploit, the worm crashes on WinNT.

Your environment is at HIGH RISK if:

1) You have Microsoft IIS server installed with Windows 2000.

2) You have NOT updated this server with the latest patch from Microsoft.

The exploit, a buffer overflow, is used to spread this worm (Unchecked Buffer in Index Server ISAPI Extension Could Enable Web Server Compromise).

THIS VIRUS EXISTS IN MEMORY ONLY (however, the .C variant does write a trojan program to the hard disk). As such, the trojan can be detected with the latests DATs and engine, but the virus can not (see the removal instructions on how to remove the virus and trojan).

The virus spreads through TCP/IP transmissions on port 80. By making use of this exploit, the worm is able to send itself as a TCP/IP stream directly to the its victims, which in turn scans the web for other systems to infect.

This is a rewrite of the W32/CodeRed.a.worm This variant does not deface web pages or contain a DDoS payload. It uses the atom "CodeRedII" for self-recognition and thus does not reinfect already infected systems.

It checks whether Chinese (either Traditional or Simplified) is the language installed on the system. If it is Chinese, it creates 600 threads and spreads for 48hours. On a non-Chinese system it creates 300 threads and spreads for 24 hours. After that, it reboots the system. On 12am Oct 1, 2001 GMT it reboots the computer, thus clearing the worm portion from memory. However, since not all clocks are set correctly, the computer will almost immediately get reinfected and reboot the computer again and again and again. The worm tends to probe nearby systems with probability 50% (4/8) - same Class A net (255.0.0.0) 37.5% (3/8) - same Class B subnet (255.255.0.0) 12.5% (1/8) - random

It tries to copy %windir%\CMD.EXE to the following files:
c:\inetpub\scripts\root.exe
c:\progra~1\common~1\system\MSADC\root.exe
d:\inetpub\scripts\root.exe
d:\progra~1\common~1\system\MSADC\root.exe.

It also tries to create a backdoor trojan (detected as W32/CodeRed.c trojan with the 4152 DATs) which it saves to c:\explorer.exe and d:\explorer.exe. This exploits the "Relative Shell Path" Vulnerability, which states that Windows will run c:\explorer.exe before %windir%\explorer.exe. So, the trojan can be run where EXPLORER.EXE is called. The trojan does nothing more than write certain values to the registry every 10 minutes. It is these registry values that opens a security hole in your system.

On the next reboot, the trojan carries out its payload and then calls the original explorer.exe. The trojan adds a value to the following registry key, to disable local file system security:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Winlogon\SFCDisable

Two values are added to the following key to enable a remote attacker to have access to the C: and D: drives, via a web browser:

HKLM\SYSTEM\CurrentControlSet\Services\
W3SVC\Parameters\Virtual Roots.

Also under this key, the /SCRIPT and /MSADC values are configured to allow read/write access to the paths associated with these values.

These changes allow a remote attacker to carry out shell function on the local system by sending commands to it via a URL.

Variants

Variants information
Virus Name Type Subtype Differences
W32/CodeRed.d.worm Virus Internet Worm Minor differences only
   
Microsoft has released a tool to "eliminate the obvious effects of the Code Red II worm"
-- Trojan Removal --
To detect and remove the trojan, update to the 4152 DATs . If the trojan is detected it will be deleted, and the registry keys which allow a remote attacker to have access to the C: and D: drives, via a web browser, will be deleted as well.

Additionally, administrators need to remove the /C and /D virtual shares through the INTERNET SERVICES MANAGER and should restore the permissions on the /SCRIPTS and /MSADC virtual directories (if necessary) for each virtual website. The Windows File Protection/System File Checker registry value should be restored to the desired setting (0 is the default):

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Winlogon\SFCDisable

Delete the following files:

c:\inetpub\scripts\root.exe
c:\progra~1\common~1\system\MSADC\root.exe
d:\inetpub\scripts\root.exe
d:\progra~1\common~1\system\MSADC\root.exe

-- Virus Removal --
Install the patches from Microsoft. For more information and to obtain the patches for these vulnerabilities, visitMicrosoft's sites:

Unchecked Buffer in Index Server ISAPI Extension Could Enable Web Server Compromise

"Relative Shell Path" Vulnerability

Note that on top of applying the patch, rebooting of the server is also required to remove the worm from memory. Without the patch, the machine will simply become reinfected using the same vulnerability.

The worm does NOT affect desktop systems or pure file servers.

Learn how to stop CodeRed at the Internet gateway .

   

PC Infected? Get Expert Help

McAfee
Virus Removal Service

Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!

$89.95