Type: network worm author: unknown, country: China, host: Windows 2000; MS IIS server
CodeRed is a worm that caused billions of dollars in damage in the summer of 2001. It is also one of the few worms that can work completely in memory without leaving files on your hard drive.
Codered was uploaded to the server as a GET /default.ida request on TCP port 80. Request contains code that used buffer overflow vulnerability in Microsoft Internet Information Server (IIS) indexing software, allowing worm to run code from inside IIS server. Worm was working completely in memory and it was almost impossible to detect it on disk. It was only 3569 bytes.
Using the CreateThread API, the worm tried to create 100 copies of itself, but because of an error in its code it could create much more. Because of this, the infected computers had a high CPU load. Each of the threads was checking the file, C: \ Notworm. If the file existed, the worm would not start and the thread would go into an endless waiting state. It is believed that this file existed only on the virus author’s computers to prevent the infection of his devices.
Then, the virus worked according to the following algorithm:
If the current date was in the range 20-28 of the day of any month, the worm sent unwanted data to port 80 on 184.108.40.206 and then to the IP address whitehouse.gov. After the 28th, it went into sleep mode .
If the date preceded the 20th of the month, the next 99 threads tried to use as many computers as possible, focusing on random IP addresses. To prevent the source computer from being infected again, the worm did not send HTTP requests to IP addresses 127. *. *. *. If the default language on your computer is English, further threads made web pages look distorted. Thread In this case slept for two hours and then intercepted the function that responded to HTTP requests. Instead of returning the correct web page, the worm returned its own HTML code.
The 100th thread of the worm would check the language of the server’s local page. If the language was English, the worm would change the page by adding the
Welcome to worm.com Hacked by Chinese! text string.
The worm tried to connect to TCP port 80 on a randomly selected host, assuming that a web server would be found. After successfully connecting to port 80, the attacking host sent a processed HTTP GET request to the victim trying to use a buffer overflow in the indexing service.
The original CodeRed worm stopped spreading in 2001.07.28 by switching to “Infinite Sleep Mode”.
Code Red infected 1-2 million computers and resulted in a cost of 2.75 billion for cleaning alone.
CodeRed also initiated a DDoS attack on the White House. Those computers infected with CodeRed tried to simultaneously contact the web servers in the White House, overloading them.
1) CodeRed.II is very similar to the original with the main difference. In this version, there is a Trojan VirtualRoot, which performed hacking the server and allowed you to manage it.
2) Codegreen is an anti-worm. It removed Codered and downloaded a patch from Microsoft that fixed a vulnerability that allowed Codered to spread. After that a message was displayed:
Des HexXer's CodeGreen V1.0 beta CodeGreen has entered your system it tried to patch your system and to remove CodeRedII's backdoors You may uninstall the patch via SystemPanel/Sofware: Windows 2000 Hotfix [Q300972]. get details at "www.microsoft.com". visit "www.buha-security.de"
It is believed that the name CodeRed is a reference to a type of lemonade “Mountain Dew” “CodeRed”. The FBI thought the virus could, if not put, reduce the entire Internet due to increased traffic from scanning. The phrase “cracked by the Chinese!” became an Internet cliche and was used to defeat gamers in various online-games and memes 🙂