Threat Center Threats Explained Threat Encyclopedia Threat Blog Security Tips Case Studies White Papers Newsletter Signup
 

Win2k/CodeRed.D


Aliases: W32/CodeRed.c, Troj/Codered-II, Trojan.CodeRed.8192, Win32:CodeRed-II

Win2k/CodeRed.D is a worm spreading in the Windows 2000 operating system.  It attacks web servers with Microsoft IIS (Index Server 2.0 and Indexing Service in Windows 2000, respectively) installed which have not installed the patch for this  the security vulnerability " Unchecked Buffer in Index Server ISAPI Extension".  Upon activation the worm checks the set local language.  If Chinese is set as the system language the worm spreads two times more aggressively than with any other system language. The worm checks the system date to find out if the year is less than 2002 or if the month is earlier than October.  If the date is outside these limits the system is restarted.  In other cases the worm randomly generates IP addresses and tries to send its copy to them.  If the target address belongs to a system that can be attacked (the aforementioned untreated error and suitable operating system) the worm will spread.  The worm runs up to 300 tasks at the same time searching, for vulnerable IP addresses.

Note: In following text a symbolic inscription %windir%. is used instead of name of the directory in which Windows operating system is installed. Naturally, this can be different with any single installation

The worm copies the file cmd.exe from the directory %windir%/System32 into the directory containing scripts (Disk_Name: \inetpub\scripts\root.exe\inetpub\scripts\ and into the directory Disk_Name: \progra~1\common~1\system\MSADC\ as the file root.exe.  In root directories of disks C: and D: the worm creates the file explorer.exe containing a Trojan horse.  From the directory %windir% the Trojan horse runs the file explorer.exe and manipulates the system registry.  It turns off the System File Checker by setting value of the key HKEY_LOCAL_MACHINE\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable to 0FFFFFF9Dh.  It changes values of keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\Scripts and HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\msadc to ",217".  It also creates the keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\c with value "c:\,,217" and HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\d with value "d:\,,217".  By this activity, access to local disks of the computer from the Internet will be enabled.  The action of the Trojan horse is repeated in a loop.



PROTECT YOUR COMPUTER!
ESETs NOD32 antivirus software provides comprehensive, easy-to-use, and affordable protection from todays and tomorrows threats. We put the malware expert inside the software, so you don’t have to become one.

DOWNLOAD ESET NOD32 ANTI VIRUS SOFTWARE

 

 
Top of Page Back One Page Print this Page