Code Red

1. Behavior
2. CodeRed arrives at a server as a GET /default.ida request on TCP port 80. The request contains code that exploits a known buffer overflow vulnerability in the indexing software in Microsoft's Internet Information Server (IIS), allowing the worm to run code from within the IIS server (described by Microsoft here). The worm runs entirely in memory, and cannot be found on the disk. It is about 3,569 bytes long.
3.  
4. Using the CreateThread API, the worm will try to create 100 threads or copies of itself, but due to a bug in its code, it actually may create many more. Infected computers are likely to have high CPU loads because of this. Each of the threads checks for the file, C:Notworm. If this file exists, the worm does not run and the thread goes into an infinite sleep state. It is uncertain what the exact significance of the Notworm file is. There is some speculation that this file may have only existed on one or more of the creator's computers in order to prevent it from infecting them.
5.  
6. If the date is between the 20th and 28th of the month, the worm will send junk data to port 80 of 198.137.240.91, then the IP address of whitehouse.gov (it was changed because of the worm). After the 28th, it goes into an infinite sleep mode and cannot be awakened unless deliberately executed.
7.  
8. The 100th thread of the worm will check the language of the local page of the server. If the language is US English, it will change the page.
9.  
10. Codered.png
11.  Page defaced by Codered
12. If the date is before the 20th of the month, the next 99 threads attempt to exploit more computers by targeting random IP addresses. To avoid looping back to infect the source computer, the worm will not make HTTP requests to the IP addresses 127.* .*.* . If the default language of the computer is American English, further threads cause Web pages to be defaced with "Welcome to http://www.worm.com!" and "Hacked by Chinese!". First, the thread sleeps for two hours, and then hooks a function, which responds to the HTTP requests. Instead of returning the correct Web page, the worm returns its own HTML code.
13.  
14. This hook lasts for 10 hours and is then removed. However, re-infection or other threads can rehook the function.
15.  
16. The worm attempts to connect to TCP port 80 on a randomly chosen host assuming that a web server will be found. Upon a successful connection to port 80, the attacking host sends a crafted HTTP GET request to the victim, attempting to exploit the buffer overflow in the Indexing Service.
17.  
18. The signature of CodeRed will appear in the signature logs as:
19.  
20. GET
21.    /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
22.    NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
23.    NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090
24.    %u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53f
25.    f%u0078%u0000%u00=a  HTTP/1.0
26. The original CodeRed worm stopped propagating on 2001.07.28, going into "Infinite Sleep Mode". It is believed that the worm will not "awaken" and will not spread again, unless deliberately executed again.
27.  
28. Variants
29. CodeRed.II
30. This variant is very similar to the original with only two major differences. The signature of CodeRed.II replaces the multiple N's with X's. This variant also drops a trojan called VirtualRoot, which can give a cracker access and control to the server.
31.  
32. Codegreen
33. This is a nematode worm or anti-worm. It erases Codered and downloads the Microsoft patch that fixes the vulnerability that allows the worms to spread. It then displays a message:
34.  
35. Des HexXer's CodeGreen V1.0 beta
36. CodeGreen has entered your system
37. it tried to patch your system and
38. to remove CodeRedII's backdoors
39.  
40. You may uninstall the patch via
41. SystemPanel/Sofware: Windows 2000 Hotfix [Q300972]
42. get details at "www.microsoft.com".
43. visit "www.buha-security.de"
44. Effects
45. Code Red infected between 1 and 2 million computers and resulted in an estimated $2.75 billion in clean-up costs and lost productivity. This is out of a possible 6 million, as that is the number of IIS servers in existence at the time. It was the most costly malware of 2001.
46.  
47. Microsoft's update servers were hit with the worm around the time it started spreading. The next month, Hotmail was infected. It is uncertain whether Hotmail was infected with the original or the more virulent CodeRed.II. No personal information was compromised.
48.  
49. Origin
50. eEye believed that the worm originated in Makati City, Philippines (the same origin as the VBS/Loveletter worm). The defaced web pages strongly suggest that it might come from China.
51.  
52. Some antivirus people accused Wintermute of the virus coding group 29A of creating CodeRed. Wintermute did code a virus named Redcode, which was probably mistaken for CodeRed.
53.  
54. Other Facts
55. CodeRed was deemed by the FBI to be so dangerous that it could bring down the entire Internet due to the increased traffic from the scans.
56.  
57. The phrase "Hacked by Chinese", in the payload of the original CodeRed, became an Internet meme indicating an online defeat. Sometimes it means being beaten in a game by a less-experienced player or someone with less skills. This phrase was still used as late as mid January in 2010 in a PC World article, though any reference to CodeRed or the meme may not have consciously been the intention of the author.
58.  
59. Sources