Virus Busters Home

The CodeRed Worm (a.k.a W32/Bady.worm) Attacks IIS Servers

by Bruce P. Burrell (bpb@umich.edu)
for the U-M Virus Busters (virus.busters@umich.edu)

Last significant update: 19 July, 2001

This information can be freely reproduced in any medium, as long as the information is unmodified.

The CodeRed worm, also known as "Code Red" or "W32/Bady.worm", is a worm that attacks unpatched Microsoft IIS servers. As such, it's not a direct threat against most end users -- but can be a pain for sysadmins. The main payload is defaced web pages; if you see a page that says:

Welcome to http://www.worm.com !

Hacked By Chinese!

then there is a good chance that the web page has been defaced by CodeRed. In that event, it's probably a good idea to tell the webmaster of that site, so that the worm can be removed.

Users of VirusScan will be protected against this worm in the 4149 virus definitions, currently scheduled for release on 25 July, 2001; given the fact that this worm has had some success "In The Wild", it may be the case that they release the 4149 drivers early. In the interim, NAI have provided us with an "extra driver" that recognizes CodeRed.

Store this "EXTRA.DAT" file in the
"C:\Program Files\Common Files\Network Associates\VirusScan Engine\4.0.xx"
folder -- note that the folder name is really "4.0.xx"; the xx's do not represent an unknown number.

This extra driver, when properly installed, will NOT remove, nor will it prevent infection. It is for detection only.

For more information about this worm, see e.g., NAI's writeup on CodeRed or the CERT incident report.

System Administrators: For more information about securing IIS servers so that they are not vulnerable to this -- or other similar attacks -- see Microsoft's bulletin and patch for this security flaw.

Please do not forward warnings about this exploit-- or any other warning or hoax -- to all your friends (though you might alert sysadmins of IIS servers, if you think they not have installed the patch).

Instead, you should reply to the sender -- and as far back up the email chain as you have energy -- pointing the originators to web resources such as ours. For this particular worm, I suggest that you provide a pointer to this URL (http://www.umich.edu/~virus-busters/bady.html)
For virus or hoax info, please see our main page (http://www.umich.edu/~virus-busters/) or go to another reputable site, like The Urban Legends Reference Pages (leaving our site).

   -BPB

Virus Busters Home

Last updated: Wednesday, 02-Jan-2002 13:24:32 EST.
University of Michigan Virus Busters - virus.busters@umich.edu

visits to this page since 19 July 2001 20:30 EDT