Code Red II

Code Red II is a computer worm similar to the Code Red worm. Released two weeks after Code Red on August 4 2001, although similar in behaviour to the original, analysis showed it to be a new worm instead of a variant. The worm was designed to exploit a security hole in the indexing software included as part of Microsoft's Internet Information Server (IIS) web server software.

A typical signature of the Code Red II worm would appear in a web server log as:

GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801

%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3

%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0

Where the original worm tried to infect other computers at random, Code Red II tried to infect machines on the same subnet as the infected machine.

Microsoft released a security patch for IIS that fixed the security hole on June 18 2001, however as of 2005 there are still machines infected with the Code Red II worm.

External links

Original Analysis of Code Red II - analysis by Steve Friedl
ANALYSIS: CodeRed II Worm - analysis by eEye Digital Security

Categories: Computer viruses