It's a Code Red week again.
The prolific worm, which is now crawling the Net in several variations, spends much of the calendar month slithering into systems through a hole in Microsoft Internet Information Server (IIS). On August 20, as it has on the twentieth day of previous months, infected systems are programmed to launch denial-of-service attacks.
The specific IP (Internet Protocol) address targeted by Code Red, previously occupied by whitehouse.gov, is no longer active. It will duck the attacks, which are programmed to last through August 27. But surfers might still experience a general slowdown on the Net if Code Red provokes a flurry of network traffic. And what's more, your system could be an unwitting accomplice.
The virus-watching organizations expect damage should be minimal this time around, although they caution that your unprotected server might still harbor a worm.
"We're getting fewer reports of infections," says Shawn Hernan, team leader for vulnerability handling at the Computer Emergency Response Team/Coordination Center at Carnegie Mellon University. "I don't expect this will be a major event."
Still, he estimates that more than 25,000 Internet servers are still vulnerable to the Code Red worm family. It appears on systems running IIS, which typically run the Windows 2000 and Windows NT operating systems. In fact, IIS is enabled by default on Windows 2000.
Those unprotected systems will become infected once the worm resumes scanning for them in September, Hernan says. He credits the work of various governmental and private sector organizations during the previous two outbreaks of the worm with protecting hundreds of thousands of servers already.
Code Red, discovered in mid-July, made its biggest splash after infecting more than 300,000 computers worldwide in August. It also defaces any servers it infects. A second worm, called Code Red II, lacks the date-sensitive aspects of the original, and does not leave graffiti. It does, however, install a more dangerous backdoor in the server that could allow attackers to gain control over those systems.
Rumors of a third variant, called Code Red III, claimed it was even more dangerous than the original. But the only variant is nomenclature, says Lisa Smith, a spokesperson for antivirus vendor McAfee.
"There was confusion about what different antivirus vendors are calling the same thing," she says. What some people are calling Code Red III is the same as Code Red II, she says.
Whatever its name and nasty habits, the Code Red worm isn't vanishing entirely.
"We are going to see, over the next year, echoes of this every month until the number of vulnerabilities is negligible," says CERT's Hernan. A number of time-sensitive worms and viruses, which made large initial impacts, still cause small bouts of trouble on certain dates. Even if Code Red will no longer trouble Internet users, the issues that it exploited are still present, Hernan says.
"Fundamentally, there are chronic problems on the Internet," such as systems administrators not patching their systems soon enough and software being released with security holes, he says. "Until we can address both root causes in a fundamental way, we're going to continue to be at risk."
Before Code Red awakens for its monthly exercise, you might find it valuable to assess vulnerable systems and ensure that you're not contributing to a network slowdown or--worse--leaving yourself open to more damage later. Following is a tutorial on assessing your damage and protecting your systems.
How to track, kill the Code Red worm
If you're running IIS, it's just smart management to make sure your system is protected against the Code Red worm family. Here's what you need to do to stomp out the worm, regardless of whether your system has become infected.
First, determine if the worm is residing on your system. If your PC contains the first release of Code Red, the worm exists only in memory and doesn't drop any files on your hard drive. The Code Red II version deposits so-called Trojan horse applications on your system that open it up to further hacking by outsiders.
Several free tools are available to scan your system for infection. You can use Symantec's FixCodeRed Assessment Tool or McAfee's CyberCop WormScan for this function.
If you haven't been infected, you're in luck. Download the Microsoft patch (liltingly named q300972) that prevents Code Red from taking hold on your system. Make sure you choose the correct patch for your operating system: Microsoft offers one for Windows NT 4 and one for Windows 2000 (all versions). Run the downloaded file, and you'll be safe. If you haven't upgraded to Windows 2000 Service Pack 2, now is a good time to do that chore, too.
If your system is infected by Code Red II, you may have additional problems. Between the time the worm wriggled into your system and when you discovered it, hackers may have already made other subtle changes to the affected system, installing other Trojan horse programs or other viruses. Besides installing the patch, conducting a full system scan using an up-to-date antivirus tool is in order. For systems that run critical infrastructure, like a business Web site, you may need to completely format the hard drive and reinstall the operating system from scratch. Or you may have to rebuild the entire drive from a previous full backup, just to be sure your machine is free and clear of nasties.
Removing the worm
If your system is infected with either Code Red or Code Red II, you still need to install the patch. Also, grab a copy of the Microsoft Code Red hotfix tool. Run the automatic updater for your antivirus software, or download the latest definition files and install them. Now you're ready to begin removing the Code Red II files.
Disconnect your network cable from the back of your PC (or hang up your modem connection) before you begin the cleanup. Begin the cleansing by running the Microsoft Code Red hotfix tool, and follow all the instructions to clean out the various files the worm left behind. (If you prefer to remove the files manually, you can skip this step and continue.)The first part of the fix involves removing the Trojan horse files installed on your system. Code Red II takes advantage of a little-known default Windows behavior to find certain Windows programs starting in the C:\ directory instead of in the WINNT folder, where system apps reside. Code Red II places the Trojan, cleverly disguised as Explorer.exe, in either your C:\ or D:\ directory. You need to kill the Trojan Explorer while leaving the real Windows Explorer running.
First, close all open Windows Explorer windows. Hit the Ctrl-Alt-Delete keys simultaneously, click the button labeled Task Manager, and select the Processes tab. Sort the list alphabetically by clicking the Image Name tab twice. If the Microsoft tool removed the Trojan properly, you'll only see one explorer.exe. If Code Red remains, you'll see two or more copies of explorer.exe in the list. Only one is the legitimate file, so be careful with this next step.
You need to stop the copy of explorer.exe that is running only one "thread." If you don't see a column labeled Threads, click View, Select Columns and fill in the checkbox labeled Thread Count, then click OK. Now it should be easy to identify which copy of explorer.exe has one thread. Select all the single-thread copies of explorer.exe, then click the End Process button. When the warning dialog displays, click YES to continue; when they're all gone, click File, End Task Manager.
Now that you've stopped the Trojan horse programs, you need to delete them from your hard drive using the Windows command line. Start the command program by clicking Start, Run, type cmd and click the Enter key. Type cd c:\ , hit the Enter key, then attrib -h -s -r explorer.exe and the Enter key again. Now you can type del explorer.exe and hit Enter to remove the file. If you have a D:\explorer.exe file, repeat this process in the D:\ directory by entering cd d:\ and stepping through the rest of the commands.
Repairing the damage
If you've been bitten by the Code Red worm, you have some other clean-up operations to perform. Code Red modifies existing Windows applications and functions. It distorts their operations to widen your vulnerability. It also changes some functions of the Windows Registry, where much of the core information of the operating system is stored.
Code Red takes the legitimate cmd.exe application from the WINNT folder, renames it "Root.exe" and places it in locations where a hacker could use it to access your hard drive. Delete the following programs from your drive. (Note that in this case the worm installs these files on a C: and D: drive if you have one.)C:\inetpub\Scripts\Root.exeD:\inetpub\Scripts\Root.exeC:\progra~1\Common~1\System\MSADC\Root.exeD:\Progra~1\Common~1\System\MSADC\Root.exeDisabling hacked settingsThe worm opens your hard drive to the Web via the personal Web server built into IIS. Your next step is to disable and remove these open shares.
Start by right-clicking the My Computer icon on the desktop and selecting Manage. In the left pane of the Computer Management window, expand the Computer Management (local) item, then Services and Applications, then Internet Information Services, then finally Default Web Site. In the right pane, right-click any icons that indicate drive letters and select Delete.
Cleansing the registry
The last part of the process involves opening the Windows Registry file and removing or replacing any keys the worm added or changed.
Important note: Messing with the Registry can make your PC stop functioning. Read all the instructions below thoroughly before you begin, and back up the entire Registry file before you make any changes. Symantec offers a tutorial for performing a safe backup.
First, open the Registry Editor by clicking Start, Run and then type regedit and hit the Enter key.
In the left pane are the categories of entries in the Registry, called keys. Expand the following key category by clicking the plus sign next to each subsequent category: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Services\W3SVC\Parameters\Virtual RootsWith the key "Virtual Roots" selected, delete the values of /C and /D in the right pane. Select the values one at a time. Press the Delete key and click Yes to confirm the deletion.
Next, in the right pane double-click the value /Scripts, and in the Edit String dialog box, delete only the number 217 from the end of the line labeled Value Data, and replace it with the number 201 and click OK.
Double-click the value /MSADC--also in the right pane--and in the Edit String dialog change the number 217 to 201, just as you did with /Scripts, and click OK.
If you have Windows NT, just reboot your system and you're done. But if you run Windows 2000, you have one additional step in Regedit to clean Code Red II out of your system.
As you did before, open Regedit and then navigate to the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\ CurrentVersion\WinLogon key, and select WinLogon in the left pane. In the right pane, double-click the value SFCDisable, and replace whatever you see in the Value data field with 0 -- that is, the number zero. Click OK then restart your PC.
Once a system is compromised, especially by Code Red II, it is potentially exposed to other infections. Antivirus vendors caution that infected systems are at their most vulnerable to attack. Unless you comb the usage and operations logs and can be certain nothing else malicious has occurred on the system, you may want to completely reinstall the operating system to be 100 percent certain that the PC is clean.
Sam Costello of the IDG News Service contributed to this report.