ARCHIVED: What is the Code Red worm, and how do I remove it?

This content has been archived, and is no longer maintained by Indiana University. Information here may no longer be accurate, and links may no longer be available or reliable.

The Code Red worm exploits a vulnerability in Microsoft's Internet Information Services (IIS) versions 4.0 and 5.0, and also attacks certain models of Cisco routers. The worm works by scanning the Internet, identifying computers running the vulnerable IIS servers, and infecting these servers with copies of itself. Each newly installed worm begins scanning as well, causing the scanning rate to rapidly increase. On July 19, 2001, this worm infected more than 250,000 computers in just nine hours.

For more information on the Code Red IIS worm, including a link for patching this vulnerability, see: 

  http://www.microsoft.com/technet/security/alerts/info/codered.mspx

Note: Though the vulnerability exploited by the Code Red worm is only present on computers running IIS 4.0 or IIS 5.0, Indiana University's University Information Security Office recommends that all users of Windows NT or 2000 apply the patches below. As IIS only runs on Windows NT and 2000, users of Windows 95, 98, Me, or XP are not at risk from this worm.

Windows 2000

Users of Windows 2000 Professional, Server, and Advanced Server should apply the June 18, 2001 Security Update.

Note: The patch for the Code Red vulnerability was not included in the MS01-026 comprehensive IIS patch.

Windows NT 4.0 Service Pack 6a

Users of Windows NT 4.0 Service Pack 6a should apply the July 26, 2001 Security Update.

Note: The patch for the Code Red vulnerability is included in the Rollup Package.

Windows NT 4.0 without Service Pack 6a

Users of Windows NT 4.0 who have not yet applied Service Pack 6a should do so immediately. After you upgrade your computer to SP6a, you can then apply the NT 4.0 Security Rollup Package. You can download SP6a from IUware or directly from Microsoft at: 

  http://support.microsoft.com/kb/241211

Cisco routers

Unpatched or improperly configured Cisco routers commonly used in digital subscriber line (DSL) systems are vulnerable to probes by the Code Red worm. When Code Red scans a Cisco 600 series router that has web access enabled, the router will hang, refusing to forward packets. In order to reestablish connectivity, you must power down and restart the router. In order to halt further problems, you must disable the Cisco Broadband Operating System (CBOS) setting that allows access to the router via the web. For instructions on this procedure, see Qwest's Code Red Virus Alert page at: 

  http://www.qwest.com/dsl/customerservice/coderedvirus.html

Also see Cisco's page on the Code Red worm at: 

  http://www.cisco.com/warp/public/707/cisco-code-red-worm-pub.shtml

In some cases the worm corrupts the Nonvolatile Random-Access Memory (NVRAM) entirely, necessitating a reinstallation of CBOS. For further details, see Cisco's page on CBOS vulnerabilities at: 

  http://www.cisco.com/warp/public/707/CBOS-multiple.shtml

Related documents

Keep your system secure if you use Microsoft IIS

This is document ajyv in the Knowledge Base.
Last modified on 2018-01-18 13:10:43.