The Code Red Virus is infecting the following machines:

Windows NT 4.0 running IIS
Windows 2000 Server or Advanced Server running IIS
Windows 2000 Professional

Code Red is infecting Win 2k machines that are have Microsoft Frontpage installed. This program can be installed as a DEFAULT so you may have it and not know it! To find out if you are at risk do the following if you are running Windows NT, Win 2k Pro or server:

Press Control+Alt+Delete.
Click on the Task Manager
Select the Processes Tab.
Look for the process Inetinfo.exe.

If you have Inetinfo.exe running that means you are running Microsoft Frontpage or IIS. This means you may be at risk for the virus.

What do you do if you have Frontpage and want to prevent your system from getting Code Red? or How do I clean my infected system?

Prevent the Virus.
Go to Microsoft's site (http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/itsolutions/security/topics/codeptch.asp) and download the patch. In most cases, it will NOT remove the Code Red Virus!

Disinfect your PC.
Go to McAffee's site (http://download.mcafee.com/updates/updates.asp) to download the Antivirus updates for McAffee's Antivirus scanners. Don't have McAffee's Anti-Virus tool? Go here (http://download.cnet.com/downloads/0-10093-100-6373148.html?tag=st.dl.10001-103-1.lst-7-1.6373148).

How is the Code Red Virus spreading?

Once a server is infected it performs a Port Scan looking for more servers. In other words, the server looks for other IP addresses running web servers by sending data random IP address to port 80, the HTTP port. Once it finds a Windows NT, or Win 2k server running IIS or Frontpage, it infects the server.

This may not seem like a bad virus, but it allows the Hackers to have Remote Access to that server. It also sends Denial of Service (DoS) attacks to http://www.whitehouse.gov . It also slows down corporate networks. This virus has infected major companies, such as Microsoft, Cisco, and many major Banks.

The Bank I work for was hit yesterday a little before 1pm PST on the West Coast. By 4pm PST the virus was infecting servers (both Win2k server and Pro) in Florida. This is a VERY serious virus and is costing companies ALOT of money. Please help to make sure you don't have the virus, to prevent it from spreading.

Are you sure this gives remote access to your computers? The hype was big for this but in reality I didnt notice much effect...

It seems relativly benign to me actually...aside from slowing your computer down it doesnt have any real payload, and its easy to remove.

------------------

A military operation involves deception. Even though you are competent, appear to be incompetent. Though effective, appear to be ineffective.
Sun-tzu, The Art of War. Strategic Assessments

I think the main worry was the DOS attacks it can run from a computer...

------------------
Manu Narayan

I have seen these computers send of Dos attacks to whitehouse.gov so watch out. And yes they can give remote access. We have a copy of the actual virus in a text file.

Rebel (from stangnet right?), do you have the source code to the virus ?

------------------
-----------------------

Wh0'z jo0r |)adDy ?

Several systems hosting the MSN Hotmail service have been infected by variants of the Code Red worm, Microsoft has confirmed.
According to a spokesperson for MSN Hotmail, which has more than 110 million users, some servers in the free, Web-based mail service's server farm were recently infected by the worm. Although the representative said the infections have been eliminated, Microsoft is still studying the issue.

Log file excerpts obtained by Newsbytes, however, indicate that some Hotmail servers remain infected today. Several log entries provided to Newsbytes show attempts by Hotmail hosts as recently as this afternoon to access Port 80 or the default.ida file on the remote system - telltale signs of a Code Red infection.

Statistics compiled by Dshield.org, an automated intrusion reporting service, indicate a number of Hotmail servers have been infected with Code Red II, according to operator Johannes Ullrich.

Security experts say Code Red II is more virulent than the original Code Red, because it installs a back door on the infected server and allows a remote attacker to control the system.

Dozens of unusual probes to Port 80 by Hotmail systems have also been reported in recent days to MyNetWatchman.com, a service which compiles firewall logs from hundreds of participating users. According to owner Lawrence Baldwin, the service does not have conclusive evidence that the servers are infected with Code Red.

"Since we know that most port 80 scan activity is Code Red, that is the most likely explanation" for all the scans, said Baldwin.

The Code Red worm and its successor, Code Red II, both exploit a bug in an indexing service shipped with Microsoft's Windows NT 4.0 and Windows 2000 operating systems. The worms attempt to propagate by scanning for other vulnerable systems using port 80. Once they have identified a target server, the worms run a program that causes a file on the server named default.ida to crash, after which malicious code written by the worms' author is executed.

Last year, Microsoft began migrating the Hotmail service from systems running the FreeBSD operating system to Windows 2000.

While the incident at Hotmail demonstrates the difficulty faced by all system administrators in eradicating Code Red, no widespread outages or access difficulties have been reported by Hotmail users in recent days.

The Hotmail infection follows a compromise last month of servers hosting Microsoft's Windows Update site by the original Code Red worm. For a brief period, visitors to the site were greeted by the worm's trademark defacement message, "Hacked by Chinese." www.technews.com (http://www.technews.com)

*************************************
What I find hilarious is that MS's patch is SUPPOSED to fix the error...

------------------
Manu Narayan

I personally don't have my mittens on it yet. http://discussanything.com/Ubb/wink.gif

Yah from Stangnet.