[NCLUG] NT server virus

John L. Bass jbass at dmsd.com
Mon Jul 23 17:40:55 MDT 2001 

It seems several of our members running NT servers instead of Linux servers got hit
this time around.

        This mail is from the ARIS Analyzer Service (Attack Registry and Intelligence 
        Service) from SecurityFocus. It has come to our attention that your system(s),
        listed below have been identified as being compromised by the Code Red Worm.  
        The Code Red Worm is rapidly spreading across the Internet, compromising 
        vulnerable Windows NT IIS servers.

        You can find up to date information on the Code Red Worm at:

        http://aris.securityfocus.com/alerts/codered

        On June 18, 2001, eEye Digital Security released an advisory regarding a new 
        security hole in IIS. You can find its advisory at:

        http://www.eeye.com/html/Research/Advisories/AD20010618.html.

        In short this worm is propagated by a recently released buffer overflow 
        attack in Microsoft's IIS Index Server and Indexing Service ISAPI Extension. 
        The worm exploits this buffer overflow in the code handles .ida requests. 
        An as-yet unknown source has created an exploit and turned it into a worm. 
        The worm attempts to deface the Web site of the victim host with the 
        following HTML code:

        <html><head><meta http-equiv="Content-Type" content="text/html; charset=English"><title>HELLO!</title></head><bady><hr size=5><font color="red"><p align="center">Welcome to http://www.worm.com !<br><br>Hacked By Chinese!</font></hr></bady></html>

        The worm then proceeds to scan for other vulnerable hosts after installing 
        itself on the new victim.

        This worm is designed to attack the IP address for www1.whitehouse.gov 
        starting on July 20, 2001 UTC, or July 19, 2001 at 5:00 p.m. PDT. The 
        provider for the whitehouse.gov Internet connection blocked traffic to 
        that IP address, allowing traffic to reach alternate servers. Because all 
        known versions of the worm attack the single IP address, www.whitehouse.gov 
        remained accessible.

        The worm is coded to spread until July 20, attack whitehouse.gov until July 
        28, and then sleep until the end of month. Initially, poor selection of 
        pseudo-random addresses meant each worm attacked the same set of addresses, 
        re-infecting the same vulnerable servers and disrupting service for these 
        addresses in particular. However, observers have discovered a variant of the 
        worm that "improves" upon the IP address randomness, resulting in a more even 
        distribution of victims (please see the technical details).

More information about the NCLUG mailing list