The Code Red Worm

What is the Code Red Worm?

The Code Red worm is an Internet worm. It has both worm and Trojan elements and attempts to spread itself by sending specially crafted Web server requests to vulnerable Microsoft Web Servers.

Where can I find more information about this virus?

The Office of Information Technology has issued two general advisories and posted an announcement on the BU Home Page regarding the IIS vulnerability that the Code Red Worms use.

BU-2001.09: "Code Red" Worm Spreading at Boston University
BU-2001.07: Buffer Overflow in IIS Windows Web Servers

Below are some links to information posted by others. While we believe this information may be useful and reasonably accurate, we have neither authenticated nor verified any of it.

Microsoft's Web Site

See Symantec's Web site for current information on Norton AntiVirus updates and NAI's Web site for current information on McAfee VirusScan and Dr. Solomon's updates. You should use your regular update mechanisms to get the latest version of these virus definition files.

How can I remove this virus?

Follow the instructions found at the Web sites mentioned above, install the patch and use Microsoft's CodeRedCleaner Utility, or contact the PCSC (617/353-7272, pcsc@bu.edu) for help.

If you are affiliated with Boston University, you can download and install the latest version of Network Associates' McAfee VirusScan for free, as Boston University has a site license for this product. Please visit BU's Anti-Virus software Web site for more information. This site will prompt you for your BU login name and password before allowing access.

I received e-mail saying that my dial-up access or network port will be disabled. What should I do?

It appears that your system is most likely infected. As described above, the virus has probably used Microsoft's Web Server (IIS) on your system to infect other IIS servers and will try to participate in a Denial of Service Attack against the White House. Your system may also have a back door installed. To avoid spreading this virus on to new recipients, you should download and install the appropriate patch for your Web Server product and then use Microsoft's CodeRedCleaner Utility twice to remove the Trojans that may have been installed on your computer. When your system has been patched and cleaned, contact the BU OIT Security Team outlining the steps taken to protect your computer.

Is there anything else I can do to protect myself from this type of attack?

If you do not need to run IIS on your computer then you should turn it off immediately. Guides for doing so are available from Microsoft at:

Microsoft Internet Information Server (IIS)4 for WindowsNT
Microsoft Internet Information Server (IIS)5 for Windows2000

If you decide to continue running IIS on your computer, you should apply all current patches and remain alert for future advisories on IIS and apply those patches as well. Subscribe to Microsoft's Product Security Notifications at: www.microsoft.com/technet/security/bulletin/notify.asp Download and install all the current patches for IIS at:

IIS cumulative patch (all patches up to August 15, 2001)

Return to main virus information page