CERT® Incident Note IN-2001-09The CERT Coordination Center publishes incident notes to provide information about incidents to the Internet community.
"Code Red II:" Another Worm Exploiting Buffer Overflow In IIS Indexing Service DLLRelease Date: August 6, 2001
The CERT/CC has received reports of new self-propagating malicious code exploiting the vulnerability described in CA-2001-13 Buffer Overflow In IIS Indexing Service DLL. These reports indicate that the worm has already affected thousands of systems. This new worm is being called "Code Red II," however, except for using the same buffer overflow mechanism, it is different from the original "Code Red" worm described in CA-2001-19 "Code Red" Worm Exploiting Buffer Overflow In IIS Indexing Service DLL.
The "Code Red II" worm causes system level compromise and leaves a backdoor on certain machines running Windows 2000. Vulnerable Windows NT 4.0 systems could experience a disruption of the IIS service.
The "Code Red II" worm is self-propagating malicious code that exploits a known vulnerability in Microsoft IIS servers (CA-2001-13).
The "Code Red II" worm attacks as follows:
Upon successful compromise of a system, the worm
The "Code Red II" worm can be identified on victim machines by the presence of the following string in IIS log files:
GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801% u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b0 0%u531b%u53ff%u0078%u0000%u00=a
The presence of this string in a log file does not neccessarily indicate compromise, it only implies that a "Code Red II" worm attempted to infect the machine.
The worm will create several files on the compromised machines. These files include c:\explorer.exe or d:\explorer.exe, as well as root.exe in the IIS scripts or MSADC folder. While the existence of the file root.exe could indicate compromise, it does not necessarily imply the presence of the "Code Red II" worm. This file name has been used for artifacts of other exploits, including the sadmind/IIS worm (see CA-2001-11).
A host running an active instance of the "Code Red II" worm will scan random IP addresses on port 80/TCP looking for other hosts to infect. The IP addresses scanned by the "Code Red II" worm are determined in a probabilistic manner:
Additional detailed analysis of this worm has been published by eEye Digital Security at http://www.eeye.com.
Intruders can execute arbitrary commands within the LocalSystem security context on Windows 2000 systems infected with the "Code Red II" worm. Compromised systems may be subject to files being altered or destroyed. Denial-of-service conditions may be created for services relying on altered or destroyed files. Hosts that have been compromised are also at high risk for being party to attacks on other Internet sites.
The widespread, automated attack and propagation characteristics of the "Code Red II" may cause bandwidth denial-of-service conditions in isolated portions of the network, particularly near groups of compromised hosts where "Code Red II" is running.
Windows NT 4.0 systems and Cisco 600-series DSL routers may experience denial-of-service as a result of the scanning activity of the worm.
Infection by the "Code Red II" worm constitutes a system level compromise. If you believe a host under your control has been compromised, please refer to
Consistent with the security best-practice of denying all network traffic and only selectively allowing that which is required, ingress and egress filtering should be implemented at the network edge. Likewise, controls must be in place to ensure that all software used on a network is properly maintained. See CA-2001-23 Continued Threat of the "Code Red" Worm for more information on these topics.
The CERT/CC is interested in receiving reports of this activity. If machines under your administrative control are compromised, please send mail to email@example.com.
Author(s): Roman Danyliw, Allen Householder, and Marty Lindner
CERT/CC Contact Information
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from
Getting security informationCERT publications and other security information are available from our web site
firstname.lastname@example.org. Please include in the body of your message
* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.
Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement.
Conditions for use, disclaimers, and sponsorship information
Copyright 2001 Carnegie Mellon University.
August 6, 2001: Initial Release January 17, 2002: Updated Reporting section