Monday, July 16, 2012


"Code Red" worm virus is a computer worm virus that attacks specific web servers. The worm was 1st discovered and researched by  Marc Maiffret and Ryan Permpeh, They are employees of eEye Digital Security.
According to my research the worm is a malicious program that uses computer resourcres or network resources to make copies of itself, it damages both system and the network by including codes or other malware.

The worm strikes a vulnerability in the indexing software distributed with IIS, The worm spreads itself through a common type of vulnerability known as a buffer overflow.
"N" is a character used by the worm for repeatable string to overflow a buffer, and it allows the worm to execute
arbitrary codes and infect the machine.What you're supposed to do if you discovered that your computer has been hit with a computer virus? That depends on the virus. Many antivirus programs are able to remove viruses from an infected system. But if the virus has damaged some of your files or data, you'll need to bring them back from backups. It's extremely essential to back up your information very often. And with viruses like the Code Red worms, it's a good idea to completely reformat the hard drive and start fresh. Some worms allow other malicious software to load onto your machine, and a simple antivirus sweep might not catch them all.



The "Code Red" worm activity can be identified on a machine by the presence of the following string in a web server log files:

/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%
u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531
b%u53ff%u0078%u0000%u00=a 
The presence of this string in a log file does not neccessarily indicate compromise. Rather it only implies that a "Code Red" worm attempted to infect the machine.
Additionally, web pages on victim machines may be defaced with the following message:
HELLO! Welcome to http://www.worm.com! Hacked By Chinese!
The text of this page is stored exclusively in memory and is not written to disk. Therefore, searching for the text of this page in the file system may not detect compromise.In addition to possible web site defacement, infected systems may experience performance degradation as a result of the scanning activity of this worm. This degradation can become quite severe since it is possible for a worm to infect a machine multiple times simultaneously. Non-compromised systems and networks that are being scanned by other hosts infected by the "Code Red" worm may experience severe denial of service. In the earlier variant, this occurs because each instance of the "Code Red" worm uses the same random number generator seed to create the list of IP addresses it scans. Therefore, all hosts infected with the earlier variant scan the same IP addresses. This behavior is not found in the later variant, but the end result is the same due to the use of improved randomization techniques that facilitates more prolific scanning.Furthermore, it is important to note that while the "Code Red" worm appears to merely deface web pages on affected systems and attack other systems, the IIS indexing vulnerability it exploits can be used to execute arbitrary code in the Local System security context. This level of privilege effectively gives an attacker complete control of the victim system.


The worm was name CODE RED because the creator's was think of
Mountain Dew Code Red that time.








    My opinion about the worm virus is that it was purposely created to corrupt certain establishments or company's files, maybe their motive is to reduce competition against other firms or companies but, i guess somehow to worm attacked the creator's files instead and could not follow direct orders by the maker or creator, Furthermore it has a big chance to commit treachery as long as
it can perform it's purpose. According to all the information I got i can say that it is a very destructive
virus yet very easy to fix but still important or essential files might be at risk.