Based on information that I have read on the Code Red worm, it is mainly if not exclusively a problem for business servers such as an ISP. Risk of infection is low and a reboot is the cure. The resulting effect from an infected server would be a slowed down Internet from our end.
=====================================================
CODERED.A
Risk rating: Low
Virus type: Trojan
Destructive: No
Aliases:
TROJ_BADY.A, W32/Bady.worm, CODERED, CODE RED, HBC
Description:
This worm uses a remote buffer overflow vulnerability in Internet Information Service (IIS) Web Servers that can give system-level privileges to a remote user, and thereby compromising network security. This worm has two trigger dates and two payloads. The first payload is triggered when the current system date is between 20 and 28. The worm executes a distributed denial of service attack (DDoS) on a Government Web site (www1.whitehouse.gov). The second payload is triggered if the current system date is less than 20. The payload then executes and generates random IP addresses and sends copies of itself through port 80. IIS users should download Microsoft's patch for the .ida vulnerability.
Solution:
Scan your system with Trend Micro antivirus and delete all files detected as CODERED.A. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other email users may use HouseCall, Trend Micro's free online virus scanner.
For IIS users, download Microsoft's released patch for the .ida vulnerability.
Restart your system. Since CODERED.A is always in memory, never dropping a copy of itself in the files system, restarting the infected computer should remove it.
The worm rarely makes itself physically present and one way to detect it is through the use of an IDS (Intrusion Detection System) at the server. You add a part of the worm’s packet data into the signature file of your IDS. If your IDS detects that such data is being sent to port 80 via TCP/IP transmission, it indicates that your server is being attacked by the worm.
If you need further assistance with this solution, please send an email to virus_doctor@trendmicro.com.
Technical details...
antivirus.com
Main page:
antivirus.com |
